Re: Multi process sniffing and dropped packets

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

----- Original Message ----- 
From: <computational_complex-forthespam () yahoo it>
To: <tcpdump-workers () lists tcpdump org>
Sent: Thursday, January 12, 2006 3:11 PM
Subject: [tcpdump-workers] Multi process sniffing and dropped packets


> Hi people!
> I'm writing a sniffer with libpcap 0.9.3 that gets
> packets and makes some cpu-intensive work with those.
> I want to use a multi process architecture (rather
> than a multi thread one) because i want to distribute
> work on multiple processor; so i thought two way to do
> this:

Uhm, what is the problem with multithreading? I think that all the modern 
OSes schedule on a per thread basis (or better, at least they schedule the 
different threads of a process on different CPUs).

> - every process executes an infinite loop in which
> pcap_next() is called.
> - every process executes a pcap_loop() call.
>
> BUT..is pcap library able to manage safety multi
> process (or maybe multi thread) calls with the same
> pcap_t handle in each process ?

No. The pcap_t handle is not guaranteed to be thread-safe. Specifically, 
every packet returned by pcap_next (or pcap_next_ex) is valid until the next 
call to pcap_next_ex, pcap_close  (or pcap_loop/dispatch).

> Any suggestion?


Depending on the work you need to do on every packet, I would probably have 
a thread receiving all the packets, copies them (or part of them, you will 
probably need very few bytes of each packet) and dispatches them to a number 
of processing threads. An issue is how to balance the packets between the 
processing threads.

Before going into a multithread approach, in any case I would analyze the 
code path processing packets, finding what are the real CPU intensive tasks.

> Anyway, i would like to know how ps_drop in struct
> pcap_stat is calculated;
> is this the number of packets that the network card
> drops? Or does it count pcap library dropped packets?
> If it's in the latter case, why the lib drops
> packets? Is there a buffer full? Can i enlarge this
> buffer?

It's the latter. There's usually a kernel buffer holding the packets before 
they are moved to user level. On BSD, it's there are two buffers a sort of 
double buffering scheme is used, while on Windows (WinPcap) a ring buffer is 
used. I don't know exactly how the linux implementation works.

On Windows it's possible to enlarge this buffer at runtime (up to something 
like 100+ MB), I think it's possible to do that on BSD and linux, but I'm 
not 100% sure.

Remember that in any case having a larger buffer helps in case of network 
bursts, it doesn't help a lot if the processing application is too slow.


Have a nice day
GV


> Thanks to everyone.
>
> Valerio
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.