Re: Best OS / Distribution for gigabit capture?

[Guy Harris <guy () alum mit edu>]

On Feb 8, 2011, at 12:53 AM, M. V. wrote:

> (this result is with libpcap-0.9.8. i got much worse 
> results with libpcap-1.0+).

What snapshot length are you using?  If, for example, this is on Ethernet, and you're capturing with a snapshot length 
of 65535 (that's the default for newer versions of tcpdump, the value you get with "-s 0" with all but really old 
versions of tcpdump, and the default with Wireshark/TShark/dumpcap), and it's using the memory-mapped capture mechanism 
(as would be the default, if available, with libpcap 1.0+), the ring buffer will have a relatively small number of 
overly-large buffer slots; try a snapshot length of, say, 1514.

I've checked into the trunk and 1.2 branches a change to attempt to keep the buffer slot sizes from being too big on 
Ethernet; unfortunately, it's a difficult problem to solve in the general case - you want the buffer slots to be the 
minimum of (snapshot length, largest possible packet size), but the "largest possible packet size" can be hard to get - 
yes, you can fetch the interface MTU, but that doesn't count the link-layer header, the maximum size of which is 
network-type-dependent, or any metadata such as radiotap headers, the proper maximum size of which might be 
*device*-dependent (and subject to change as new radiotap items are added, so even calculating the biggest possible 
radiotap header for a given version of radiotap might give a too-small answer).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.