Re: PCAP performance

[sthaug () nethelp no]

> I have written a packet sniffer under C++ using libpcap.
> Now I have noticed that about every 3 minutes and 15 seconds the Program
> uses 100 % of the CPU.
> After about 45 sec the program works normal again and uses only 10% of the
> CPU time.

Sure sounds like a problem with your program - as far as I know there
is nothing in libpcap which would cause this.

> The program is running on a 300 MHz Celeron with 128 MB RAM under Slackware
> 8.1. 
> I also tried it under a 1600 Athlon XP with 512 MB RAM under SuSeE 8.2.
> There was the same behaviour, except that it only used 80% of the CPU and it was
> back normal faster.
> I use libpcap 0.8.1 and pcap_dispatch, which is called in a while statement
> of a pthread, with 1 as parameter for number of packets to capture.
> I first thought that I made a mistake in the call-back function, but I
> replaced my code with return and it did the same thing.
> I tested the program with hping2 and sent a packet every 10 ms. The used
> filter is quite long and consists of about 150 pairs of IP-Addresses and Ports.

A packet every 10 ms is only 100 pps - this should be no problem at
all. If I test tcpdump on a FreeBSD/Pentium 700 MHz machine with 100
pps, I see less than 1% load from running tcpdump. I recommend that
you test tcpdump on your system with the same filter as your C++
program and see what happens. If you do "tcpdump -nw /dev/null" you
have removed all DNS lookups and all writing to the terminal, and
should be left with the load from tcpdump/libpcap itself.

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.