Secret of great tcpdump performance ..

["Michael Krueger" <mickrulist () voipfuture com>]

Hi,

we try to build a capture daemon using pcap lib. It does work great on a  
single NIC if running alone, but if started twice on different NICs (eth0  
& eth1) it seems that somehow they interfere in such way that capturing is  
slowing down and pcap_stat does report dropped packets.
The same test using tcpdump doesn't have that problem. We focus on udp  
protocol, rtp v2 specifically. I can start tcpdump twice, each capturing  
on a different NIC. It doesn't have any impact on the result, no packets  
dropped. How did you do it ;-) ?
My callback does even less than your ether_if_print ... rtp_print methods.  
I don't get, why two independent processes of tcpdump seem to be able to  
capture without interfering each other, but my app using pcap lib does. I  
haven't seen that tcpdump does lock itself on a specific CPU core, doesn't  
it?
Another difference is, that my app is multithreaded and yours is not. Did  
you play with threading? Can the overhead of threading context switching  
be the problem? I didn't think so, because we run on a machine with  
multiple cores, but maybe you experienced something different?
I checked tcpdump.c almost line by line and didn't see much of a  
difference in using libpcap except the call to init_addrtoname. Could this  
method call mean all of the difference? What does it do? I mean, I haven't  
figured out if the structures prepared in that method are even used by the  
rtp_print method.

Any hint that can point me in the right direction is appreciated. Thanks.

--
Michael Krueger
VoIPFuture Ltd.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.