Hi, By "unacceptable", I mean the number of packets that tcpdump processed was only a fraction of that of it received. I assume that "Number of Packets received by filter" are the packets were matched by the filter expression, so with a filter, tcpdump can only process 3984 out of 1091656 ip packets.... And also, the port I'm monitoring on is a mirror of the department building uplink, it should have a major component of ip packets.
Hope it clearifies. Thanks. Lei On Mon, Sep 8, 2008 at 3:59 AM, <[EMAIL PROTECTED]> wrote: > > I'm currently doing packet capturing on a FreeBSD 7.0 system. I was > actually > > running my own pcap based > > program but found the performance was very bad when I added a simple > filter > > as "ip". So I tested tcpdump > > on the same machine. It turned out that the performance of tcpdump > without a > > filter expression is reasonably > > well, but turned to unacceptable when applying an "ip" filter. > > Please define "unacceptable". > > > I guess it > > must have something to do with the libpcap0.9.8.. Below is some result I > > got. The version on the machine is tcpdump3.9.8 with libpcap0.9.8 > > > > 1. tcpdump without filter: > > # tcpdump -i em1 -s 1500 -w dump.dat > > 433145 packets captured > > 448830 packets received by filter > > 0 packets dropped by kernel > > > > 2. tcpdump with filter: > > # tcpdump -i em1 -s 1500 -w dump.dat ip > > 3984 packets captured > > 1091656 packets received by filter > > 0 packets dropped by kernel > > The statistics show 0 packets dropped. What is your problem here - are > you saying that there are *more* IP packets (in the 1091656 packets > received by the filter) than the 3984 packets captured? > > I run tcpdump on various FreeBSD 7 systems myself with no apparent > problems. > > Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] > -- Wei, Lei Department of Computer Science University of North Carolina at Chapel Hill, NC 27599-3175 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
