Capture on many interfaces with pcap

[Andreas Rieke <andreas.rieke () isl de>]

Hi,

I am using pcap/WinPcap to capture traffic on linux and windows
operating systems. I need to work on several interfaces in parallel and
expect high load, however, as the filter function should drop more than
99 percent of the traffic, receiving packets from pcap should not be the
problem.
My design criteria are
- to process high load on the interfaces without dropping packets,
- to have stable processes/threads and
- to avoid polling because 100 % CPU load is not acceptable.

I see at least three ways to proceed with this job:
1. Call pcap_open_live for each interface within a single process/thread
and wait for packets using the select/WaitForMultipleEvents or
WaitForMultipleObjects function: In this case, I expect a stable process
because we need no threads, but I am not sure about performance.
2. Create a thread for each interface and process packets with callback
functions within the threads: Although I have heard that pcap/WinPcap
should be thread-safe, I am not sure about that and thus expect
stability problems. It should be quite simple to be thread-safe as long
as only one interface is used, but what about pcap running on several
interfaces in parallel? Additionally, under linux, I do not know whether
to use linux threads (clone) or posix threads (pthreads) for this job.
3. Handle each interface in an own process: Although this approach
should support both high stability with high performance, I do not like
it too much because a single process (with or without threads) better
fits in my application.

Are there any other ways to go? Did anybody already make experiences
with one of these approaches?

Regards,

Andreas


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.