tcpdump mailing list archives

Re: tcpdump/pcap 1-of-S sampling

From: Guy Harris <guy () alum mit edu>
Date: Wed, 23 May 2007 18:25:28 -0700


On May 23, 2007, at 2:34 PM, kevin brintnall wrote:

I would like to add a feature to tcpdump/pcap to only capture 1/Spackets
for some positive integer S.  For example, this would be useful for
traffic analysis on DNS servers where it's not feasible or desirableto
capture every single packet.

Rather than do this in the application, I would like to also push this
feature into the kernel


Which kernel?

(i.e. BPF),

I.e., the {Free,Net,Open,DragonFly}BSD kernel, and the Darwin/Mac OS Xkernel, but not the Linux, Solaris, etc. kernel. (And probably not theAIX kernel, either, unless you work at IBM or an AIX source licensee.)

This is probably going to end up being a private hack unless youconvince the developers of the BPF-using system you're using to adoptit.

to reduce the amount of kernel-->user
space copying.  Ideally, pcap would push the sampling into the kernel
where available, and fall back to doing its own 1-of-S samplingotherwise.
Does anyone have a recommendation where to store the sampling factorS,esp. with regards to passing into the kernel? It doesn't make sensetostore it in the bpf_insn, so I am thinking that it would make moresense
to store info in bpf_program.

The best thing to do is probably to provide your own BPF ioctl to setthat, and either

1) have the new ioctl just set the sampling factor, and use theexisting ioctl, unchanged, to set the filter


or

        2) add a new ioctl that sets the filter and the sampling factor.

I would vote for 1) as the least intrusive change.

I suspect that the developers of any of the systems in question arelikely to resist a change to the bpf_program structure, for binary andsource compatibility reasons, so if you want this to be anything otherthan a private hack, I would suggest that you add a new ioctl to setthe sampling factor.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump/pcap 1-of-S sampling kevin brintnall (May 23)
- Re: tcpdump/pcap 1-of-S sampling Guy Harris (May 23)
- Re: tcpdump/pcap 1-of-S sampling Bruce M Simpson (May 26)