2015-10-13 12:53 GMT+02:00 Thomas Martin <[email protected]>:
> 2015-10-13 12:16 GMT+02:00 Daniel Borkmann <[email protected]>:
>> Yes, that would be expected. The reason is that ifpps dumps the stats from
>> the NIC
>> while tcpstat looks at the pcap file, where you only dump the headers. So
>> when the
>> BPF filter truncates the packet, the new, truncated length is written to the
>> pcap
>> file.
>
> Ok, my mistake, I wasn't expecting that.
> I will test it without filter.
>
> Thanks!
I just did a little test and it seems that dumping headers only
doesn't alter the length .
Here is the stats for two dumps did in the same time:
- no filter (netsniff-ng -i eth3 -o /pcap/pcaps/ -s --prefix
datacenter. --verbose --ring-size 64MiB --interval 1min --mmap):
# tcpstat -r /pcap/pcaps/datacenter.1444734147.pcap 1 | awk '{print
$5}' | cut -d'=' -f2 | sort -n | tail -1
101088520.00
- with filter (netsniff-ng -i eth3 -o /pcap/pcaps_headers/ -s --prefix
datacenter. --verbose --ring-size 64MiB --interval 1min --mmap -f
/root/headers_only.bpfc)
# tcpstat -r /pcap/pcaps_headers/datacenter.1444734147.pcap 1 | awk
'{print $5}' | cut -d'=' -f2 | sort -n | tail -1
101124776.00
Am I missing something else?
Thomas
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
