tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

From: Guy Harris <guy () alum mit edu>
Date: Mon, 8 Sep 2008 15:01:35 -0700

On Sep 8, 2008, at 6:27 AM, lei wei wrote:
By "unacceptable", I mean the number of packets that tcpdump processed was 
only a fraction
of that of it received. I assume that "Number of Packets received by filter" 
are the packets were
matched by the filter expression,


No.
On systems with BPF (including all versions of FreeBSD, including 6.0 and 7.0, and with all versions of libpcap), "Number of Packets received by filter" is the number of packets that were handed to the filter to match, *including packets that were not matched by the filter expression*.
On some other systems (e.g., Linux), it's the number of packets that passed the filter, regardless of whether they were dropped because the system ran out of buffer space. 


so with a filter, tcpdump can only process
3984 out of 1091656
ip packets....
So, with a filter, tcpdump was only handed 3984 packets out of 1091656 packets.
Note that "ip" means IPv4, not IPv4 and IPv6; if most of the traffic on your network is either non-IP traffic (note that ARP traffic is not IP traffic) or IPv6 traffic, a filter of "ip" will filter out most of the traffic received. 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: