tcpdump mailing list archives
Re: [Patch] tcpdump probabilistic sampling
From: Jesse Kempf <jkempf () davisvision com>
Date: Wed, 2 Apr 2008 11:01:10 -0400
On Apr 2, 2008, at 10:08 AM, Milosz Marian Hulboj wrote:
On Wednesday 02 April 2008, Jesse Kempf wrote:Hi,So tcpdump tends to jam up the terminal a bit when you try to dump on a saturated gigabit link. I've added a -P option to tcpdump that lets youspecify a probability for tcpdump to print each packet. It usesdrand48() to figure out whether each packet captured should be printed. Obviously this isn't the same thing as saying "print every Nth packet" since this is a Bernoulli process and the expected value of the numberof printed packets is different. Also, I hacked up the print_packet function, so this only works for parse and print mode.Hello,Wouldn't it be better to allow several different types of sampling thatwould match the commonly encountered schemas: - random probabilistic sampling (Bernoulli's sampling) - systematic sampling (not really random - just the skip counter) - sFlow like sampling schema (on average 1-out-of-N samples)
What does deterministic sampling give you that random sampling does?
And does it have to be done on the printing level? I don't know the details, but it would make much more sense to apply the 'random filtering' as earlyas possible.
pcap_loop() is provided with a callback function to be called when a packet clears the filter. So the beginning of the print_packet function is as early as you can get.
Cheers, -Jesse Kempf ------------------------------------------------------------------------ The information contained in this communication is intended only for the use of the recipient(s) named above. It may contain information that is privileged or confidential, and may be protected by State and/or Federal Regulations. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. ------------------------------------------------------------------------ - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: [Patch] tcpdump probabilistic sampling, (continued)
- Re: [Patch] tcpdump probabilistic sampling Jesse Kempf (Apr 01)
- Re: [Patch] tcpdump probabilistic sampling Bruce M Simpson (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Jesse Kempf (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Michael Richardson (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Ken Bantoft (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Jesse Kempf (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Guy Harris (Apr 14)
- Re: [Patch] tcpdump probabilistic sampling Michael Richardson (Apr 14)
- Re: [Patch] tcpdump probabilistic sampling Kris Katterjohn (Apr 14)
- Re: [Patch] tcpdump probabilistic sampling Milosz Marian Hulboj (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Jesse Kempf (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Jesse Kempf (Apr 02)
- Re: [Patch] tcpdump probabilistic sampling Milosz Marian Hulboj (Apr 03)
- Re: [Patch] tcpdump probabilistic sampling Jesse Kempf (Apr 02)