tcpdump mailing list archives

Re: Max lines in filter

From: George Bakos <gbakos () ists dartmouth edu>
Date: Tue, 10 Dec 2002 13:29:22 -0500

Here's a small bit of perl to create incrementally longer tcpdump filter
files. As simple as they are, the filter files generated should give an
indication of the best performance that can be expected with a given
filter length. More complex filters would undoubtedly result in poorer
performance.

I've found that earlier versions ran into memory management issues
when compiling large filtersets (over 100 lines), whereas v3.7.1/0.71 is
much better, but compile times become unacceptable over a few hundred.

The following test was conducted on a PIII/1GHz, 1GB SDRAM, 0 byte
dumpfile (pcap file header only):

[gbakos@pils gbakos]$ ./lengthtest.pl 500 deletethis.filter
[gbakos@pils gbakos]$ time /usr/sbin/tcpdump -r pcaptestfile -F deletethis.filter 

real    0m58.399s
user    0m58.310s
sys     0m0.090s

<--------cut here-------->

#!/usr/bin/perl -w

# lengthtest.pl
#
# A simple utility to stress test tcpdump filter complilation/parsing.
# By lengthening the filter size, eventually we may eventually exhaust some 
# finite resource (i.e. ram, cpu, time left before second coming, etc.) needed
# to evaluate the expression.
# 04/12/2002 gbakos () ists dartmouth edu

my ($filtfile, $port, $num);

die "Usage: $0 [number of lines] [output file]\n" unless ((@ARGV + 0) == 2);

$num = $ARGV[0];
$filtfile = $ARGV[1];

open FILTS, "> $filtfile";

print FILTS "port 1\n";
for ($port = 2 ; $port <= $num ; $port++ ) {
        print FILTS "or port $port\n";
}
close FILTS;

<-------cut here------>

On Tue, 10 Dec 2002 07:57:57 -0800
"Keplinger, Michael A" <michael.keplinger () nmci-isf com> wrote:

Thanks for the responses thus far.

We are using Libpcap version 0.4
and tcpdump v3.4

which is the same that Guy Harris had when his crashed.  It may be difficult to upgrade due to our Customer (contract 
gig).  i'll see if I can work around it.

Thanks

-----Original Message-----
From: Jefferson Ogata [mailto:Jefferson.Ogata () noaa gov]
Sent: Monday, December 09, 2002 16:37
To: tcpdump-workers () tcpdump org
Subject: Re: [tcpdump-workers] Max lines in filter


Keplinger, Michael A wrote:

Does anybody know if there is a maximum number of lines that you can 
have in a tcpdump filter, I am getting segmentation fault when the 
number of lines approaches 100.


What version of tcpdump and libpcap? There is an bug in older versions of the 
code generator.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe



-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos () ists dartmouth edu
voice   603-646-0665
fax     603-646-0666
Key fingerprint = D646 8F91 F795 27EC FF8B  8C95 B102 9EB2 081E CB85
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Max lines in filter Keplinger, Michael A (Dec 09)
- Re: Max lines in filter Jefferson Ogata (Dec 09)
- Re: Max lines in filter Guy Harris (Dec 09)
- <Possible follow-ups>
- RE: Max lines in filter Keplinger, Michael A (Dec 10)
  - Re: Max lines in filter George Bakos (Dec 10)
  - Re: Max lines in filter Jefferson Ogata (Dec 10)