Hi, > I would like to capture TCP traffic to/from several groups of hosts, maybe we > are talking about 20-30 groups in the maximum with something between 1-10 > hosts in each group. All these host have individual IPs and ports, there is no > chance to capture parts of a network or something like that. I would like to > do the job with libpcap under linux and winpcap under windows.
If I understood that correct, you would end up with a filter expression with 20-30 distinct IP ranges that will be concatenated with "and"s. I can only tell this for Linux: > If you had to solve this problem, which way would you go? I would definitively go with the huge expression rather that single threads. The reason is the following: The filter expression will get transfered into BPF(-like for Linux) code which is then executed in kernel context. All the packets that match the expression end up in a queue to be withdraw by the user-space application usually using libpcap functionality. If you start several capture threads simultaneously you will end up with multiple queues and multiple processes requesting data from the kernel. This leads to a huge amount of Kernel-to-Userspace context switches which harm the capturing performance. As shown in my master's thesis (Diplomarbeit) especially Linux cannot deal with the load of multiple concurrent capturing processes well. But even for complex filters (way more complex than your setting) the peformance is only slightly affected. See Sections 6.3.2 and 6.3.3 in my thesis: http://www.net.t-labs.tu-berlin.de/~fabian/papers/da.pdf best Fabian Schneider -- Fabian Schneider (Dipl. Inf.), An-Institut Deutsche Telekom Laboratories Technische Universitaet Berlin, Fakultaet IV -- E-Technik und Informatik address: Sekr. TEL 4, Ernst-Reuter-Platz 7, 10587 Berlin e-mail: [EMAIL PROTECTED], WWW: http://www.net.in.tum.de/~schneifa phone: +49 30 8353 - 58513, mobile: +49 179 242 76 71 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.