tcpdump mailing list archives

pcap_dispatch on linux 2.6 with libpcap 1.1.1

From: Jim Lloyd <jlloyd () silvertailsystems com>
Date: Sat, 21 Aug 2010 15:30:37 -0700

I'm a little confused about the expected behavior of pcap_dispatch on linux
using libcpap 1.1.1.  The initialization code I use (error handling omitted)
looks like this:

    mChannel = pcap_create(device, errbuf);
    int err = pcap_set_promisc(mChannel, int(promiscuous));
    err = pcap_set_snaplen(mChannel, 65535);
    err = pcap_set_timeout(mChannel, 250);
    err = pcap_set_buffer_size(mChannel, 512*1024*1024);
    err = pcap_activate(mChannel);

I call pcap_dispatch (from within a loop that does a small amount of other
administrative work) as follows

     int result = pcap_dispatch(mChannel, 1000, Thunk, (u_char*) this);

I have tested with the above logic while sniffing traffic on a GigE ethernet
NIC (eth0) and on the loopback device (lo). The test machine is an 8-core
Opteron with 32Gb of RAM running CentOS 5.5 with kernel 2.6.18. The traffic
generator program is a small program using libcurl to repeatedly download a
mix of static content from apache 2.2, with 4 concurrent connections. The
test results are:

          pps     Mbps     avg packets/dispatch
eth0      30K     850      3.009
lo        23K    1700      3.5

The total throughput here is excellent, so I'm not complaining. But why is
the packets per dispatch so small? I was under the impression that at these
data rates pcap_dispatch should process the requested 1000 packets per call
instead of just ~3. Does this mean the 512Mb memory buffer is huge overkill?

Aso, note that pcap_stats is not reporting any dropped packets, but I have a
little bit of evidence that some packet loss may be occurring when sniffing
ethernet. The evidence is that my application occasionally fails to
reconstruct a TCP stream when sniffing ethernet, but never fails to
reconstruct any TCP streams when sniffing loopback. However, I wouldn't be
surprised  if this is due to my TCP reconstruction code failing to handle
some rare corner case that handles with real TCP packets but does not happen
with loopback.

Thanks in advance for any insights.

Thanks,
Jim Lloyd
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

pcap_dispatch on linux 2.6 with libpcap 1.1.1 Jim Lloyd (Aug 21)
- Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 22)
  - Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 22)
  - Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Jim Lloyd (Aug 23)
    - Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Guy Harris (Aug 25)
    - Re: pcap_dispatch on linux 2.6 with libpcap 1.1.1 Jim Lloyd (Aug 25)