Strange behavior of pcap filter

["J S" <geekreader () gmail com>]

Hello,

I am developing an active monitoring system, which implements pcap filter.

The requirement is to send probes with a high monitoring rate e.g. 40 msec
and the probe packets have data of 12 bytes. For each packet sent by the
sender the recipient sends a reply packet.


I have noticed a strange behavior of the captured packets.


I initially started with 10 probe packets sent by the sender with an
interval of 40 msec between each of them. I used pcap_loop method with a cnt
of -1. to loop for ever . The pcap filter deployed at each end is supposed
to  capture 20 packets ( 10 from src to dst and 10 from dst to src and  I am
only capturing data packets). However I noticed that the number of packets
captured  are quite less (varied from 13 to 17) . but the total size of the
pay load i.e. the sum of the payload for all packets is always 240 (12 x 20
=240).  For some of the packets the size of the payload is 24, or even 48.

When I increased the monitoring rate the payload size even changed to 108
bytes and the no of packets changed to 10. However in all cases the total
pay load size of all the packets was exact 240. I know there was no packet
lost , as I can see them through sockets. I think the number of packets
captured equaled to 20 when I changed the rate to 1 sec.



I then switched to pcap_next method and used it in a for (;;) loop. This
method gave me an improved efficiency as the number of packets captured were
exactly 20 ( for rate = 100 msec). I then increased the monitoring rate and
this effect of stability remained until the monitoring rate is 50 msec. For
40  msec, I observed fewer packets then expected, similar behavior as
above.
( In order to check this behvaior, I commented all the system calls I am
supposed to make after capturing a packet and just mainatined a loop of
pcap_next and a counter to account for number of packets).


Since I sent only 10 packets on each side, 20 in total, this instable
behavior may be due to high monitoring rate. I wonder does pcap has any
limit in terms of no of packets it can capture in a specific time. Does it
has any buffering issues. Is it suppose to combine the payload if the rate
is high. Since I am interested in pcap header ( the actual time stamps ),
this behavior  ( of combining payloads for multiples packets ) would lead to
loss of information for me.


Is there any way I can capture packets efficiently with rate as  high as 40
msec?



Thanks
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.