tcpdump mailing list archives

Re: Performance impact with multiple pcap handlers on Linux

From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Tue, 22 Dec 2020 22:20:59 -0800

--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Tue, 22 Dec 2020 22:20:59 -0800

On Dec 22, 2020, at 3:31 PM, Linus Lüssing <linus.luessing () c0d3 blue> wrote:

Basically we want to do live measurements of the overhead of the mesh
routing protocol and measure and dissect the layer 2 broadcast traffic.
To measure how much ARP, DHCP, ICMPv6 NS/NA/RS/RA, MDNS, LLDP overhead
etc. we have.


OK, so I'm not a member of the bpf mailing list, so this message won't get to that list, but:

Given how general (e)BPF is in Linux, and given the number of places where you can add an eBPF program, and given the 
extensions added by the "(e)" part, it might be possible to:

        construct a single eBPF program that matches all of those packet types;

        provides, in some fashion, an indication of *which* of the packet types matched;

        provides the packet length as well.

If you *only* care about the packet counts and packet byte counts, that might be sufficient if the eBPF program can be 
put into the right place in the networking stack - it would also mean that the Linux kernel wouldn't have to copy the 
packets (as it does for each PF_PACKET socket being used for capturing, and there's one of those for every pcap_t), and 
your program wouldn't have to read those packets.

libpcap won't help you there, as it doesn't even know about eBPF, much less about it's added capabilities, but it 
sounds as if this is a Linux-specific program, so that doesn't matter.  There may be a compiler allowing you to write a 
program to do what's described above and get it compiled into eBPF.

I don't know whether there's a place in the networking stack to which you can attach an eBPF probe to do this, but I 
wouldn't be surprised to find out that there is one.

--- End Message ---

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Performance impact with multiple pcap handlers on Linux Linus Lüssing via tcpdump-workers (Dec 22)
- Re: Performance impact with multiple pcap handlers on Linux Guy Harris via tcpdump-workers (Dec 22)
- Message not available
  - Re: Performance impact with multiple pcap handlers on Linux Linus Lüssing via tcpdump-workers (Dec 22)
- Message not available
  - Message not available
    - Re: Performance impact with multiple pcap handlers on Linux Guy Harris via tcpdump-workers (Dec 22)