Re: tcpdump3.9.8 slow performance with filter in

[sthaug () nethelp no]

> I'm currently doing packet capturing on a FreeBSD 7.0 system. I was actually
> running my own pcap based
> program but found the performance was very bad when I added a simple filter
> as "ip".  So I tested tcpdump
> on the same machine. It turned out that the performance of tcpdump without a
> filter expression is reasonably
> well, but turned to unacceptable when applying an "ip" filter.

Please define "unacceptable".

> I guess it
> must have something to do with the libpcap0.9.8..  Below is some result I
> got. The version on the machine is tcpdump3.9.8 with libpcap0.9.8
>
> 1. tcpdump without filter:
> # tcpdump -i em1 -s 1500 -w dump.dat
> 433145 packets captured
> 448830 packets received by filter
> 0 packets dropped by kernel
>
> 2. tcpdump with filter:
> # tcpdump -i em1 -s 1500 -w dump.dat ip
> 3984 packets captured
> 1091656 packets received by filter
> 0 packets dropped by kernel

The statistics show 0 packets dropped. What is your problem here - are
you saying that there are *more* IP packets (in the 1091656 packets
received by the filter) than the 3984 packets captured?

I run tcpdump on various FreeBSD 7 systems myself with no apparent
problems.

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.