tcpdump mailing list archives
Re: Best OS / Distribution for gigabit capture?
From: Guy Harris <guy () alum mit edu>
Date: Fri, 20 May 2011 12:11:31 -0700
On Feb 8, 2011, at 12:53 AM, M. V. wrote:
(this result is with libpcap-0.9.8. i got much worse results with libpcap-1.0+).
What snapshot length are you using? If, for example, this is on Ethernet, and you're capturing with a snapshot length of 65535 (that's the default for newer versions of tcpdump, the value you get with "-s 0" with all but really old versions of tcpdump, and the default with Wireshark/TShark/dumpcap), and it's using the memory-mapped capture mechanism (as would be the default, if available, with libpcap 1.0+), the ring buffer will have a relatively small number of overly-large buffer slots; try a snapshot length of, say, 1514. I've checked into the trunk and 1.2 branches a change to attempt to keep the buffer slot sizes from being too big on Ethernet; unfortunately, it's a difficult problem to solve in the general case - you want the buffer slots to be the minimum of (snapshot length, largest possible packet size), but the "largest possible packet size" can be hard to get - yes, you can fetch the interface MTU, but that doesn't count the link-layer header, the maximum size of which is network-type-dependent, or any metadata such as radiotap headers, the proper maximum size of which might be *device*-dependent (and subject to change as new radiotap items are added, so even calculating the biggest possible radiotap header for a given version of radiotap might give a too-small answer).- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Best OS / Distribution for gigabit capture? Guy Harris (May 20)