tcpdump/pcap 1-of-S sampling

[kevin brintnall <kbrint () rufus net>]

Hi,

I would like to add a feature to tcpdump/pcap to only capture 1/S packets
for some positive integer S.  For example, this would be useful for
traffic analysis on DNS servers where it's not feasible or desirable to
capture every single packet.

Rather than do this in the application, I would like to also push this
feature into the kernel (i.e. BPF), to reduce the amount of kernel-->user
space copying.  Ideally, pcap would push the sampling into the kernel
where available, and fall back to doing its own 1-of-S sampling otherwise.

Does anyone have a recommendation where to store the sampling factor S,
esp. with regards to passing into the kernel?  It doesn't make sense to
store it in the bpf_insn, so I am thinking that it would make more sense
to store info in bpf_program.

Does this make sense, and is bpf_program the right place to store this
info?  Feedback is appreciated.

-- 
 kevin brintnall =~ <kbrint () rufus net>
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.