tcpdump mailing list archives
Re: Multi process sniffing and dropped packets
From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
Date: Thu, 12 Jan 2006 15:29:15 -0800
----- Original Message ----- From: <computational_complex-forthespam () yahoo it>
To: <tcpdump-workers () lists tcpdump org> Sent: Thursday, January 12, 2006 3:11 PM Subject: [tcpdump-workers] Multi process sniffing and dropped packets
Hi people! I'm writing a sniffer with libpcap 0.9.3 that gets packets and makes some cpu-intensive work with those. I want to use a multi process architecture (rather than a multi thread one) because i want to distribute work on multiple processor; so i thought two way to do this:
Uhm, what is the problem with multithreading? I think that all the modern OSes schedule on a per thread basis (or better, at least they schedule the different threads of a process on different CPUs).
- every process executes an infinite loop in which pcap_next() is called. - every process executes a pcap_loop() call. BUT..is pcap library able to manage safety multi process (or maybe multi thread) calls with the same pcap_t handle in each process ?
No. The pcap_t handle is not guaranteed to be thread-safe. Specifically, every packet returned by pcap_next (or pcap_next_ex) is valid until the next call to pcap_next_ex, pcap_close (or pcap_loop/dispatch).
Any suggestion?
Depending on the work you need to do on every packet, I would probably have a thread receiving all the packets, copies them (or part of them, you will probably need very few bytes of each packet) and dispatches them to a number of processing threads. An issue is how to balance the packets between the processing threads.
Before going into a multithread approach, in any case I would analyze the code path processing packets, finding what are the real CPU intensive tasks.
Anyway, i would like to know how ps_drop in struct pcap_stat is calculated; is this the number of packets that the network card drops? Or does it count pcap library dropped packets? If it's in the latter case, why the lib drops packets? Is there a buffer full? Can i enlarge this buffer?
It's the latter. There's usually a kernel buffer holding the packets before they are moved to user level. On BSD, it's there are two buffers a sort of double buffering scheme is used, while on Windows (WinPcap) a ring buffer is used. I don't know exactly how the linux implementation works.
On Windows it's possible to enlarge this buffer at runtime (up to something like 100+ MB), I think it's possible to do that on BSD and linux, but I'm not 100% sure.
Remember that in any case having a larger buffer helps in case of network bursts, it doesn't help a lot if the processing application is too slow.
Have a nice day GV
Thanks to everyone. Valerio - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Multi process sniffing and dropped packets computational_complex-forthespam (Jan 12)
- Re: Multi process sniffing and dropped packets Gianluca Varenni (Jan 12)
- Re: Multi process sniffing and dropped packets Guy Harris (Jan 12)
- Re: Multi process sniffing and dropped packets Gianluca Varenni (Jan 13)
- Re: Multi process sniffing and dropped packets Robert Lowe (Jan 12)
- Re: Multi process sniffing and dropped packets computational_complex-forthespam (Jan 14)
- Re: Multi process sniffing and dropped packets Rick Jones (Jan 17)
- Re: Multi process sniffing and dropped packets computational_complex-forthespam (Jan 21)
- Re: Multi process sniffing and dropped packets Guy Harris (Jan 12)
- Re: Multi process sniffing and dropped packets Gianluca Varenni (Jan 12)
- Re: Multi process sniffing and dropped packets Michael Richardson (Jan 12)
- Re: Multi process sniffing and dropped packets Guy Harris (Jan 12)
- Re: Multi process sniffing and dropped packets Guy Harris (Jan 12)
- Re: Multi process sniffing and dropped packets Rick Jones (Jan 12)