Re: [Patch] tcpdump probabilistic sampling

[Bruce M Simpson <bms () incunabulum net>]

Jesse Kempf wrote:
> Hi,
> So tcpdump tends to jam up the terminal a bit when you try to dump on 
> a saturated gigabit link. I've added a -P option to tcpdump that lets 
> you specify a probability for tcpdump to print each packet. It uses 
> drand48() to figure out whether each packet captured should be 
> printed. Obviously this isn't the same thing as saying "print every 
> Nth packet" since this is a Bernoulli process and the expected value 
> of the number of printed packets is different.
>
> Also, I hacked up the print_packet function, so this only works for 
> parse and print mode.

Somebody, I can't remember who, has patches to bpf which push the 
probability to the capture layer itself, rather than just the printing 
routine. They were actively using this for NIDS stuff.

The thing which got in the way of adoption was a lack of versioning of 
bpf capabilities IIRC. Not sure if this got solved or not.

later
BMS
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.