Re: Libpcap on VMWare

[Guy Harris <guy () alum mit edu>]

On Jan 12, 2010, at 1:42 PM, Dustin Spicuzza wrote:

> AFAIK, using environment variables to change the configuration of an
> internal ring buffer is only implemented in Phil Wood's patched libpcap
> that you mentioned at http://public.lanl.gov/cpw/.

Yes, that's the case.

> At some point, someone took his changes for using mmap and a ring buffer
> and integrated them into libpcap on tcpdump.org.

"Someone" = Paolo Abeni.

> However, they didn't bring in the environment variable stuff AFAIK.

Correct.

> By default on linux it
> will use the mmap interface with a 2MB ring buffer (I think it was 2MB..
> it was pretty small).

Yes, 2MB is the default.

> I don't recommend using libpcap 1.0 release when playing with that --
> there are a LOT of bugfixes that have made it in since the last release,
> so you should use the trunk version of libpcap if possible.

Yes.

> I haven't used the mmap'ed ring buffer on VMWare, but we used a 2GB
> buffer to allow us to read/process 500Mbps off two interfaces with zero
> packet loss over the period of a few days.

32-bit or 64-bit kernel, and 32-bit or 64-bit application?  (My guess would be 64-bit, as a 2GB buffer would eat up 
half the address space, and I have the impression that the Linux kernel keeps userland in the same address space, 
rather than having separate kernel and user address spaces, so I'm not sure you could have a 2GB buffer with a 32-bit 
kernel, and possibly not with a 32-bit userland.)

> We also used pcap_dispatch()
> to process 1024 packets at a time... so that helped a lot also.

When you say "1024 packets at a time", does that mean you pass 1024 as the cnt argument, so that it doesn't process 
*more* than 1024 packets at a time?  Does that work better than -1 (meaning "loop until you run out of packets")?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.