Re: [Patch] tcpdump probabilistic sampling

[Milosz Marian Hulboj <mhulboj () hulboj org>]

On Wednesday 02 April 2008, Jesse Kempf wrote:
> Hi,
> So tcpdump tends to jam up the terminal a bit when you try to dump on a 
> saturated gigabit link. I've added a -P option to tcpdump that lets you 
> specify a probability for tcpdump to print each packet. It uses 
> drand48() to figure out whether each packet captured should be printed. 
> Obviously this isn't the same thing as saying "print every Nth packet" 
> since this is a Bernoulli process and the expected value of the number 
> of printed packets is different.
>
> Also, I hacked up the print_packet function, so this only works for 
> parse and print mode.

Hello,

Wouldn't it be better to allow several different types of sampling that 
would match the commonly encountered schemas:
- random probabilistic sampling (Bernoulli's sampling)
- systematic sampling (not really random - just the skip counter)
- sFlow like sampling schema (on average 1-out-of-N samples)

And does it have to be done on the printing level? I don't know the details, 
but it would make much more sense to apply the 'random filtering' as early 
as possible.

Cheers,
Milosz

-- 
Milosz Marian Hulboj
http://www.linkedin.com/in/mhulboj

Attachment: signature.asc
Description: This is a digitally signed message part.