tcpdump mailing list archives
Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0
From: "lei wei" <weilei1983 () gmail com>
Date: Tue, 9 Sep 2008 12:17:17 -0400
Thanks a lot for the reply Guy! According to your explanation, for libpcap,
the status struct:
struct pcap_stat {
u_int ps_recv; /* number of packets received */
u_int ps_drop; /* number of packets dropped */
the ps_recv field should be the total number of packets handed to the filter
regardless it was
matched or not. Is that correct? If so, I guess the only way to tell how
many packets were matched
by the filter is to set up a counter in the pcap loopback function. Actually
I do some extensive processing
on each packet when receiving it in the loopback function, so the counter
field I set up in it should
indicate how many packets it actually processed. If I want to know the exact
number of packets that
were actually passed the filter, do I have a way to do that? or the only way
is to look at the packets drop?
Thank you.
On Mon, Sep 8, 2008 at 6:01 PM, Guy Harris <guy () alum mit edu> wrote:
On Sep 8, 2008, at 6:27 AM, lei wei wrote: By "unacceptable", I mean the number of packets that tcpdump processed wasonly a fraction of that of it received. I assume that "Number of Packets received by filter" are the packets were matched by the filter expression,No. On systems with BPF (including all versions of FreeBSD, including 6.0 and 7.0, and with all versions of libpcap), "Number of Packets received by filter" is the number of packets that were handed to the filter to match, *including packets that were not matched by the filter expression*. On some other systems (e.g., Linux), it's the number of packets that passed the filter, regardless of whether they were dropped because the system ran out of buffer space. so with a filter, tcpdump can only process3984 out of 1091656 ip packets....So, with a filter, tcpdump was only handed 3984 packets out of 1091656 packets. Note that "ip" means IPv4, not IPv4 and IPv6; if most of the traffic on your network is either non-IP traffic (note that ARP traffic is not IP traffic) or IPv6 traffic, a filter of "ip" will filter out most of the traffic received. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
-- Wei, Lei Department of Computer Science University of North Carolina at Chapel Hill, NC 27599-3175 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 07)
- Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 08)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 08)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Guy Harris (Sep 08)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 09)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Guy Harris (Sep 09)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 08)
- Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 08)
- <Possible follow-ups>
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Alexander Dupuy (Sep 10)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 10)
- Re: tcpdump3.9.8 slow performance with filter in sthaug (Sep 10)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 Alexander Dupuy (Sep 10)
- Re: tcpdump3.9.8 slow performance with filter in FreeBSD 7.0 lei wei (Sep 10)