Re: Libpcap on VMWare

[Dustin Spicuzza <dustin () virtualroadside com>]

Vikram Roopchand wrote:
> May we also know what is this ring buffer people keep talking about ? Does
> libpcap standard distro have a ring buffer (related to the question above) ?
> And can PCAP_MEMORY or PCAP_FRAMES environment variable help increase it (as
> in the link above and here http://seclists.org/snort/2009/q1/209) ? We
> really want to try that ... I don't think this could be a VMWare issue.

My comments below about the ring buffer / memory mapped libpcap is linux
libpcap only.

AFAIK, using environment variables to change the configuration of an
internal ring buffer is only implemented in Phil Wood's patched libpcap
that you mentioned at http://public.lanl.gov/cpw/ . His patch(es) uses
kernel functionality to allow using a ring buffer for packet capture to
a mmap'ed buffer. However, when we used it there were some problems with
it in our application -- but I think they only occurred when I was
trying to capture from two interfaces at once.

At some point, someone took his changes for using mmap and a ring buffer
and integrated them into libpcap on tcpdump.org. However, they didn't
bring in the environment variable stuff AFAIK. By default on linux it
will use the mmap interface with a 2MB ring buffer (I think it was 2MB..
it was pretty small).

To really take advantage of the ring buffer, you must modify the
application to use the 'new' libpcap API to open the interface handle
(pcap_create()/pcap_activate()), and call pcap_set_buffer_size() on the
handle to set the ring buffer size. It allows you to create a buffer up
to INTMAX, but the actual size of the buffer allocated will generally be
slightly smaller than that, and the number of packets it can hold is a
function of the page size on your system.

I don't recommend using libpcap 1.0 release when playing with that --
there are a LOT of bugfixes that have made it in since the last release,
so you should use the trunk version of libpcap if possible. In
particular, theres a fix to allow you to allocate bigger memory buffers
because of the way the allocation is done.

I haven't used the mmap'ed ring buffer on VMWare, but we used a 2GB
buffer to allow us to read/process 500Mbps off two interfaces with zero
packet loss over the period of a few days. We also used pcap_dispatch()
to process 1024 packets at a time... so that helped a lot also. It works
quite well in my experience. :)

Dustin


-- 
Innovation is just a problem away

Attachment: signature.asc
Description: OpenPGP digital signature