tcpdump mailing list archives
Re: Linux capture buffering
From: Guy Harris <guy () alum mit edu>
Date: Sun, 10 May 2009 09:25:36 -0700
On May 10, 2009, at 7:52 AM, Asier MartÃnez wrote:
I'm a bit confused in which is the behavior of Libpcap under Linux when it is used to capture packets. If I'm not wrong, Libpcap under Linux ignores timeout argument to_ms, so, Libpcap is returning per captured packet?,
Libpcap, prior to 1.0, does no buffering on Linux, as there is, as far as I know, no way to get a PF_PACKET socket not to wake up a reader until either
1) a certain minimum number of packets or amount of packet data is available
or 2) a timeout has expiredand deliver multiple packets with a single system call (as happens with, for example, BPF, Solaris's DLPI with the bufmod STREAMS module, and WinPcap's driver).
Libpcap 1.0 can use the memory-mapped capture mechanism; if so, it's not explicitly doing buffering, but when it gets woken up, it will process packets until it runs out of packets in the ring buffer, so it *could* process more than one packet per wakeup. However, there is, as far as I know, no way to *explicitly* request that a wakeup be delivered only after either a certain minimum number of packets or amount of packet data is available or a timeout has expired, which is why I say it's not *explicitly* doing buffering. I *suspect* that, with a high rate of packet arrival, you will get a significant amount of packet data per wakeup, but I've never measured it.-
This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Linux capture buffering Asier MartÃnez (May 10)
- Re: Linux capture buffering Guy Harris (May 10)