tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

pcap performance considerations in scripting languages

From: Matthew Bloch <matthew () bytemark co uk>
Date: Tue, 22 Apr 2003 10:51:29 +0100
Hi all,

I'm using libpcap to build a detailed bandwidth counter for a 100Mb ethernet 
connection on a Linux-based host (2.26GHz P4 with 2GB RAM), and wanted to 
solicit some opinions on its implementation, being new to libpcap 
programming.

For one, I'm building it using the Ruby scripting language's interface to 
libpcap so that I can use my existing code infrastructure, and make very 
clear, quickly-implemented logic to count ports, protocols etc. as well as 
overall usage.

Initially I was dubious; I thought that the amount of extra code introduced by 
the Ruby interface to pcap would stop it from keeping up.  So I wrote this 
program (hopefully pretty obvious even if you don't know Ruby)-- it's just a 
basic rate monitor for eth0:

    require 'pcap'
    cap = Capture.open_live("eth0")
    c_pkt = 0
    c_len = 0
    last = Time.now
    cap.each_packet { |pkt|
      c_pkt += 1
      c_len += pkt.length
      if Time.now - last >= 1
        print "#{c_pkt} packets / #{c_len/1024}K per second\n"
        last = Time.now
        c_pkt = 0
        c_len = 0
      end
    }

I found that during an ISO download over a 100Mb connection it regularly 
reported transfer rates of nearly 10000K/s which I assume means it was 
counting all packets.

What I mainly want to know is: how do I know when it *is* dropping packets?   
I tried it on a download over a loopback interface at 200Mb, and found that 
it seemed to report way under what was actually passing through the 
interface, again 100Mb seemed to be the highest rate reported (though this 
was on my much slower (though largely unloaded) laptop, not the much faster 
machines that are going to be running the software for real).  

This is obviously a concern if I want to use it to monitor chargeable 
bandwidth; can anyone directly answer this question, or can people comment on 
the plausability of this implementation?  I get the feeling I will need to do 
it in C eventually but from what I can tell Ruby seems ideal to implement an 
initial system.  Any comments & criticisms would be appreciated.

thanks,

-- 
Matthew Bloch                             Bytemark Hosting
                                  tel. +44 (0) 8707 455026
                        http://www.bytemark-hosting.co.uk/
          Dedicated Linux hosts from 15ukp ($26) per month

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: