tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pcap performance question

From: Fabian Schneider <schneifa () net in tum de>
Date: Mon, 19 May 2008 22:00:39 +0200 (CEST)

Hi,


I would like to capture TCP traffic to/from several groups of hosts, maybe we
are talking about 20-30 groups in the maximum with something between 1-10
hosts in each group. All these host have individual IPs and ports, there is no
chance to capture parts of a network or something like that. I would like to
do the job with libpcap under linux and winpcap under windows.


If I understood that correct, you would end up with a filter expression 
with 20-30 distinct IP ranges that will be concatenated with "and"s.

I can only tell this for Linux: 


If you had to solve this problem, which way would you go?


I would definitively go with the huge expression rather that single 
threads. The reason is the following:

The filter expression will get transfered into BPF(-like for Linux) code 
which is then executed in kernel context. All the packets that match 
the expression end up in a queue to be withdraw by the user-space 
application usually using libpcap functionality. If you start several 
capture threads simultaneously you will end up with multiple queues and 
multiple processes requesting data from the kernel. This leads to a huge 
amount of Kernel-to-Userspace context switches which harm the capturing 
performance.

As shown in my master's thesis (Diplomarbeit) especially Linux cannot deal 
with the load of multiple concurrent capturing processes well. But even 
for complex filters (way more complex than your setting) the peformance is 
only slightly affected. See Sections 6.3.2 and 6.3.3 in my thesis:

http://www.net.t-labs.tu-berlin.de/~fabian/papers/da.pdf


   best
   Fabian Schneider

-- 
Fabian Schneider (Dipl. Inf.), An-Institut Deutsche Telekom Laboratories
Technische Universitaet Berlin, Fakultaet IV -- E-Technik und Informatik
address: Sekr. TEL 4, Ernst-Reuter-Platz 7, 10587 Berlin
e-mail: fabian () net in tum de, WWW: http://www.net.in.tum.de/~schneifa
phone: +49 30 8353 - 58513, mobile: +49 179 242 76 71
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: