tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

["lei wei" <weilei1983 () gmail com>]

Hello all,

I'm currently doing packet capturing on a FreeBSD 7.0 system. I was actually
running my own pcap based
program but found the performance was very bad when I added a simple filter
as "ip".  So I tested tcpdump
on the same machine. It turned out that the performance of tcpdump without a
filter expression is reasonably
well, but turned to unacceptable when applying an "ip" filter. I guess it
must have something to do with the libpcap0.9.8..  Below is some result I
got. The version on the machine is tcpdump3.9.8 with libpcap0.9.8

1. tcpdump without filter:
# tcpdump -i em1 -s 1500 -w dump.dat
433145 packets captured
448830 packets received by filter
0 packets dropped by kernel

2. tcpdump with filter:
# tcpdump -i em1 -s 1500 -w dump.dat ip
3984 packets captured
1091656 packets received by filter
0 packets dropped by kernel

Interestingly, on an older FreeBSD 6.0 system with tcpdump3.9.1 and
libpcap0.9.1, the performance of tcpdump with filter is much better than the
other, being able to capture 80% of the packets received by filter.

Can anybody shed some light on this problem?

Thank you very much!

Lei
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.