Re: Question regarding libpcap filters and sflow, how to filter 1 out of every N packets.

[Guy Harris <guy () alum mit edu>]

On Apr 6, 2009, at 3:53 PM, Guy Harris wrote:

> I'm assuming the embedded device is running an operating system such  
> as Linux, so that packets have to be copied from kernel space to  
> user space (unless libpcap is using the memory-mapped access  
> mechanism on Linux or FreeBSD) to be delivered to libpcap.
>
> If you don't care whether packets not being sampled are copied from  
> kernel space to user space (or if you're running on a version of  
> Linux or FreeBSD with a memory-mapped capture interface), you could  
> just do the sampling in the code that reads from libpcap.
>
> If you do care, you'll have to implement the filtering in the kernel.

Packets that are to be passed to libpcap might still require more  
copies than packets that don't even with a memory-mapped interface, so  
even there, filtering in the kernel might make a difference.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.