Re: Question regarding libpcap filters and sflow,

[Diego Valverde <diego.valverde.g () gmail com>]

Hi,
I am using linux on my device.
I do not want to have to copy all the packets from kernel space to user
space for performance reasons.
I am not very familiar with the memory-mapped access capture mechanism.
Would this avoid the performance hit of context switch memory spaces?
Can you point me to some resources on that particular capture mechanism?

Thanks
-D

On Mon, Apr 6, 2009 at 4:53 PM, Guy Harris <guy () alum mit edu> wrote:

> On Apr 6, 2009, at 2:52 PM, Diego Valverde wrote:
>
>  Is there a way to specify 1 out of every N packets sampling using an
> > existing  filter combination?
>
> No.  The filtering mechanism was created in order to filter based on packet
> content, and that's all it supports checking.
>
>  if not where should I look into the code in order to extend the filtering
> > functionally for my particular needs?
>
> Nowhere - as indicated, the filtering mechanism checks only packet
> contents.
>
> I'm assuming the embedded device is running an operating system such as
> Linux, so that packets have to be copied from kernel space to user space
> (unless libpcap is using the memory-mapped access mechanism on Linux or
> FreeBSD) to be delivered to libpcap.
>
> If you don't care whether packets not being sampled are copied from kernel
> space to user space (or if you're running on a version of Linux or FreeBSD
> with a memory-mapped capture interface), you could just do the sampling in
> the code that reads from libpcap.
>
> If you do care, you'll have to implement the filtering in the kernel.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.