tcpdump mailing list archives
pcap_dispatch on linux 2.6 with libpcap 1.1.1
From: Jim Lloyd <jlloyd () silvertailsystems com>
Date: Sat, 21 Aug 2010 15:30:37 -0700
I'm a little confused about the expected behavior of pcap_dispatch on linux using libcpap 1.1.1. The initialization code I use (error handling omitted) looks like this: mChannel = pcap_create(device, errbuf); int err = pcap_set_promisc(mChannel, int(promiscuous)); err = pcap_set_snaplen(mChannel, 65535); err = pcap_set_timeout(mChannel, 250); err = pcap_set_buffer_size(mChannel, 512*1024*1024); err = pcap_activate(mChannel); I call pcap_dispatch (from within a loop that does a small amount of other administrative work) as follows int result = pcap_dispatch(mChannel, 1000, Thunk, (u_char*) this); I have tested with the above logic while sniffing traffic on a GigE ethernet NIC (eth0) and on the loopback device (lo). The test machine is an 8-core Opteron with 32Gb of RAM running CentOS 5.5 with kernel 2.6.18. The traffic generator program is a small program using libcurl to repeatedly download a mix of static content from apache 2.2, with 4 concurrent connections. The test results are: pps Mbps avg packets/dispatch eth0 30K 850 3.009 lo 23K 1700 3.5 The total throughput here is excellent, so I'm not complaining. But why is the packets per dispatch so small? I was under the impression that at these data rates pcap_dispatch should process the requested 1000 packets per call instead of just ~3. Does this mean the 512Mb memory buffer is huge overkill? Aso, note that pcap_stats is not reporting any dropped packets, but I have a little bit of evidence that some packet loss may be occurring when sniffing ethernet. The evidence is that my application occasionally fails to reconstruct a TCP stream when sniffing ethernet, but never fails to reconstruct any TCP streams when sniffing loopback. However, I wouldn't be surprised if this is due to my TCP reconstruction code failing to handle some rare corner case that handles with real TCP packets but does not happen with loopback. Thanks in advance for any insights. Thanks, Jim Lloyd - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- pcap_dispatch on linux 2.6 with libpcap 1.1.1 Jim Lloyd (Aug 21)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 22)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 22)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Jim Lloyd (Aug 23)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 25)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Jim Lloyd (Aug 25)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 22)