Rick Jones wrote:
Jesse Kempf wrote:
Hi,
So tcpdump tends to jam up the terminal a bit when you try to dump on
a saturated gigabit link. I've added a -P option to tcpdump that lets
you specify a probability for tcpdump to print each packet. It uses
drand48() to figure out whether each packet captured should be
printed. Obviously this isn't the same thing as saying "print every
Nth packet" since this is a Bernoulli process and the expected value
of the number of printed packets is different.
The wording won't sound right... but what's the point? Just wanting
to watch pseudo-random subsets of the traffic? I'd think that if one
wanted to be tracing a gigabit link one would trace to a binary file
and post-process, or have a rather specific filter in place?
If you were looking for specific traffic, then yes, the filter would
work and the bpf wouldn't even deliver the traffic to tcpdump. I've
already found it useful to pull up tcpdump on a saturated link and
figure out what's going on, in real time. For an in depth analysis post
processing is obviously the way to go. For seeing who's hogging
bandwidth, the random sampling approach works quite well.
-Jesse
------------------------------------------------------------------------
The information contained in this communication is intended
only for the use of the recipient(s) named above. It may
contain information that is privileged or confidential, and
may be protected by State and/or Federal Regulations. If
the reader of this message is not the intended recipient,
you are hereby notified that any dissemination,
distribution, or copying of this communication, or any of
its contents, is strictly prohibited. If you have received
this communication in error, please return it to the sender
immediately and delete the original message and any copy
of it from your computer system. If you have any questions
concerning this message, please contact the sender.
------------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
