capturing packets in many concurrent processes

["Anthony D. Minkoff" <adminkoff () cox net>]

TCPDUMP newbie here.  Newbie to a number of things, actually.

I'm implementing several programs that use libpcap to monitor and 
analyze network traffic.  I understand that each of these programs uses 
a BPF device, so that the number of such processes I can have running 
on a system concurrently is limited by the number of BPF devices I have 
on the system.  By default, this is 4.

Four probably won't always be enough, so I'm wondering whether I should 
create some additional BPF devices.  What are the costs of doing so?  
What kind of limits are there on the number of BPF devices I can 
create?

One noteworthy feature of my particular situation is that all of these 
processes are examining essentially the same packets, so I'm wondering 
if there is a way I can exploit that fact to minimize the number of BPF 
devices that they consume.

One approach that I tried is having one process monitor the network and 
write packets to a file, and having the other processes read the 
packets from this file and do whatever analyses they need to do.  
However, we're talking about a *lot* of packets here, and this approach 
degraded system performance.

A related approach that I'm considering is having one process monitor 
the network and use some kind of IPC to broadcast the packets to any 
other processes that might be interested.  I'm enough of a newbie at 
this, too, that I don't yet know what kind of IPC would be appropriate, 
or whether this approach is even a good idea in the first place.

So...  What should I do?  Create more BPF devices?  Use IPC?  Is there 
any support in libpcap for multiple processes sharing a single filter?  
Or is there another approach I should consider?

If it matters, the systems in question are running FreeBSD 4.x.

- ADM

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.