tcpdump mailing list archives

Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

From: "lei wei" <weilei1983 () gmail com>
Date: Mon, 8 Sep 2008 09:27:54 -0400

Hi,

By "unacceptable", I mean the number of packets that tcpdump processed was
only a fraction
of that of it received. I assume that "Number of Packets received by filter"
are the packets were
matched by the filter expression, so with a filter, tcpdump can only process
3984 out of 1091656
ip packets....  And also, the port I'm monitoring on is a mirror of the
department building uplink, it
should have a major component of ip packets.

Hope it clearifies.

Thanks.
Lei

On Mon, Sep 8, 2008 at 3:59 AM, <sthaug () nethelp no> wrote:

I'm currently doing packet capturing on a FreeBSD 7.0 system. I was

actually

running my own pcap based
program but found the performance was very bad when I added a simple

filter

as "ip".  So I tested tcpdump
on the same machine. It turned out that the performance of tcpdump

without a

filter expression is reasonably
well, but turned to unacceptable when applying an "ip" filter.


Please define "unacceptable".

I guess it
must have something to do with the libpcap0.9.8..  Below is some result I
got. The version on the machine is tcpdump3.9.8 with libpcap0.9.8

1. tcpdump without filter:
# tcpdump -i em1 -s 1500 -w dump.dat
433145 packets captured
448830 packets received by filter
0 packets dropped by kernel

2. tcpdump with filter:
# tcpdump -i em1 -s 1500 -w dump.dat ip
3984 packets captured
1091656 packets received by filter
0 packets dropped by kernel


The statistics show 0 packets dropped. What is your problem here - are
you saying that there are *more* IP packets (in the 1091656 packets
received by the filter) than the 3984 packets captured?

I run tcpdump on various FreeBSD 7 systems myself with no apparent
problems.

Steinar Haug, Nethelp consulting, sthaug () nethelp no




-- 
Wei, Lei
Department of Computer Science
University of North Carolina at Chapel Hill,
NC 27599-3175
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 07)
- Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 08)
  - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 08)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Guy Harris (Sep 08)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 09)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Guy Harris (Sep 09)
- <Possible follow-ups>
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Alexander Dupuy (Sep 10)
  - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 10)
    - Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 10)
    - Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Alexander Dupuy (Sep 10)