tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question about mmap support

From: Alexander Dupuy <alex.dupuy () mac com>
Date: Mon, 03 Dec 2007 09:50:45 -0500
Paolo Abeni writes:

I tried to dig this in the ML archive, without any luck. It look like
there is a certain interested for the memory map patch by Phil Wood
(http://public.lanl.gov/cpw/), but it have never been merged, why ?!?
I can't say for sure, but I suspect that Phil Woods' changes, which involve a lot of configuration in environment variables are seen as a bit too intrusive (and possibly raising security issues - certainly my feeling as well).
At our company, we have a privately maintained version of libpcap which includes a merge of Alexey Kuznetzov's old Linux fork of libpcap with mmap support (with his savefile and structure changes #ifdef'ed out). I suspect that Alexey's gratuitous changes to the structures and savefile format etc. may be the source of some resistance to adding support for Linux mmap. I think that it varies by distribution, but I know that Red Hat dropped the Kuznetzov fork in favor of tcdpump.org version in RHL 7 or 8, but I believe that some Linux distros (Gentoo? others?) may still have mmap support in their libpcap distros.
I would guess that most people who want improved capture performance on Linux either use Phil Woods' version (which tracks the official libpcap pretty well) or Luca Deri's PF_RING version (which also requires kernel support, and is less flexible, but gives better performance for a dedicated capture appliance). Or else they get dedicated hardware like Endace DAG cards, which are supported in tcpdump.org version.
I get the impression that most of the core tcpdump.org people are running on *BSD systems, so as long as the Linux version works correctly, Linux capture performance isn't really a major issue for them.
That said, I'd be willing to work up and submit clean patches to add Linux mmap (and even PF_RING) support for the libpcap 1.x branch, but only if there was some indication from the maintainers that such a patch would not simply sink to the bottom of the tcpdump-workers archives without any response or comment as a number of larger patches I've posted in the past have done (corrupt savefile recovery, recursion elimination for very large expression parsing, maybe some others that even I have forgotten). 

@alex

--
mailto:alex.dupuy () mac com

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: