> I'm currently doing packet capturing on a FreeBSD 7.0 system. I was actually > running my own pcap based > program but found the performance was very bad when I added a simple filter > as "ip". So I tested tcpdump > on the same machine. It turned out that the performance of tcpdump without a > filter expression is reasonably > well, but turned to unacceptable when applying an "ip" filter.
Please define "unacceptable". > I guess it > must have something to do with the libpcap0.9.8.. Below is some result I > got. The version on the machine is tcpdump3.9.8 with libpcap0.9.8 > > 1. tcpdump without filter: > # tcpdump -i em1 -s 1500 -w dump.dat > 433145 packets captured > 448830 packets received by filter > 0 packets dropped by kernel > > 2. tcpdump with filter: > # tcpdump -i em1 -s 1500 -w dump.dat ip > 3984 packets captured > 1091656 packets received by filter > 0 packets dropped by kernel The statistics show 0 packets dropped. What is your problem here - are you saying that there are *more* IP packets (in the 1091656 packets received by the filter) than the 3984 packets captured? I run tcpdump on various FreeBSD 7 systems myself with no apparent problems. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
