tcpdump mailing list archives
Re: Libpcap on VMWare
From: Dustin Spicuzza <dustin () virtualroadside com>
Date: Tue, 12 Jan 2010 16:42:37 -0500
Vikram Roopchand wrote:
May we also know what is this ring buffer people keep talking about ? Does libpcap standard distro have a ring buffer (related to the question above) ? And can PCAP_MEMORY or PCAP_FRAMES environment variable help increase it (as in the link above and here http://seclists.org/snort/2009/q1/209) ? We really want to try that ... I don't think this could be a VMWare issue.
My comments below about the ring buffer / memory mapped libpcap is linux libpcap only. AFAIK, using environment variables to change the configuration of an internal ring buffer is only implemented in Phil Wood's patched libpcap that you mentioned at http://public.lanl.gov/cpw/ . His patch(es) uses kernel functionality to allow using a ring buffer for packet capture to a mmap'ed buffer. However, when we used it there were some problems with it in our application -- but I think they only occurred when I was trying to capture from two interfaces at once. At some point, someone took his changes for using mmap and a ring buffer and integrated them into libpcap on tcpdump.org. However, they didn't bring in the environment variable stuff AFAIK. By default on linux it will use the mmap interface with a 2MB ring buffer (I think it was 2MB.. it was pretty small). To really take advantage of the ring buffer, you must modify the application to use the 'new' libpcap API to open the interface handle (pcap_create()/pcap_activate()), and call pcap_set_buffer_size() on the handle to set the ring buffer size. It allows you to create a buffer up to INTMAX, but the actual size of the buffer allocated will generally be slightly smaller than that, and the number of packets it can hold is a function of the page size on your system. I don't recommend using libpcap 1.0 release when playing with that -- there are a LOT of bugfixes that have made it in since the last release, so you should use the trunk version of libpcap if possible. In particular, theres a fix to allow you to allocate bigger memory buffers because of the way the allocation is done. I haven't used the mmap'ed ring buffer on VMWare, but we used a 2GB buffer to allow us to read/process 500Mbps off two interfaces with zero packet loss over the period of a few days. We also used pcap_dispatch() to process 1024 packets at a time... so that helped a lot also. It works quite well in my experience. :) Dustin -- Innovation is just a problem away
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Libpcap on VMWare Vikram Roopchand (Jan 12)
- Re: Libpcap on VMWare Vikram Roopchand (Jan 12)
- Re: Libpcap on VMWare Dustin Spicuzza (Jan 12)
- Re: Libpcap on VMWare Guy Harris (Jan 12)
- Re: Libpcap on VMWare Dustin Spicuzza (Jan 12)
- Re: Libpcap on VMWare Guy Harris (Jan 12)
- Re: Libpcap on VMWare Dustin Spicuzza (Jan 12)
- Re: Libpcap on VMWare Michael Richardson (Jan 13)
- Re: Libpcap on VMWare Guy Harris (Jan 12)
- Re: Libpcap on VMWare Mark Bednarczyk (Jan 12)
- Re: Libpcap on VMWare Guy Harris (Jan 12)
- Re: Libpcap on VMWare Vikram Roopchand (Jan 12)
- Re: Libpcap on VMWare Gert Doering (Jan 13)