Re: Packet drop counts via pcap_stats()

[Dustin Spicuzza <dustin () virtualroadside com>]

Jim Lloyd wrote:
> Over the last couple months we have developed and deployed into a production
> environment an application using libpcap, where we sniff upwards of 350Mbps
> of HTTP traffic arriving via a SPAN. On the whole I am extremely pleased
> with libpcap in terms of both the ease of implementation and the
> efficiency/throughput/quality of the packet capture. We are clearly not
> getting all packets, but there is fairly strong evidence this is mostly due
> to being too aggressive with the SPAN.
>
> However, one concern I have with libpcap is that it seems that pcap_stats()
> has never reported a dropped packet. Is this a known problem? We are using
> libpcap-1.0.0 on CentOS 5.4, which uses the Linux kernel 2.6.18-164.el5,
> on x86_64.
>
> I have also run our application with valgrind, and when I do the volume of
> packets processed drops significantly for the same traffic. It is not
> surprising to me that we are forced to handle lower throughput under
> valgrind, but it is bothersome that I don't seem to have any way for pcap to
> tell me that it can't keep up.
>
> Is this expected behavior, or is there something I am overlooking?

There are at least two things that measure losses on linux, one on the
socket buffer and one on the interface itself. pcap_stats() only
reported losses on the socket buffer. This problem was fixed in HEAD a
few months ago.

Not sure why a 1.1.1 release hasn't been done a lot earlier than this,
but libpcap HEAD fixes a lot of bugs.

Dustin


-- 
Innovation is just a problem away

Attachment: signature.asc
Description: OpenPGP digital signature