Re: [tcpdump-workers] tcpdump3.9.8 slow performance with filter in FreeBSD 7.0

Tue, 09 Sep 2008 09:17:56 -0700 

Thanks a lot for the reply Guy!  According to your explanation, for libpcap,
the status struct:
struct pcap_stat {
    u_int ps_recv;        /* number of packets received */
    u_int ps_drop;        /* number of packets dropped */

the ps_recv field should be the total number of packets handed to the filter
regardless it was
matched or not. Is that correct?  If so, I guess the only way to tell how
many packets were matched
by the filter is to set up a counter in the pcap loopback function. Actually
I do some extensive processing
on each packet when receiving it in the loopback function, so the counter
field I set up in it should
indicate how many packets it actually processed. If I want to know the exact
number of packets that
were actually passed the filter, do I have a way to do that? or the only way
is to look at the packets drop?

Thank you.



On Mon, Sep 8, 2008 at 6:01 PM, Guy Harris <[EMAIL PROTECTED]> wrote:

>
> On Sep 8, 2008, at 6:27 AM, lei wei wrote:
>
>  By "unacceptable", I mean the number of packets that tcpdump processed was
>> only a fraction
>> of that of it received. I assume that "Number of Packets received by
>> filter"
>> are the packets were
>> matched by the filter expression,
>>
>
> No.
>
> On systems with BPF (including all versions of FreeBSD, including 6.0 and
> 7.0, and with all versions of libpcap), "Number of Packets received by
> filter" is the number of packets that were handed to the filter to match,
> *including packets that were not matched by the filter expression*.
>
> On some other systems (e.g., Linux), it's the number of packets that passed
> the filter, regardless of whether they were dropped because the system ran
> out of buffer space.
>
>  so with a filter, tcpdump can only process
>> 3984 out of 1091656
>> ip packets....
>>
>
> So, with a filter, tcpdump was only handed 3984 packets out of 1091656
> packets.
>
> Note that "ip" means IPv4, not IPv4 and IPv6; if most of the traffic on
> your network is either non-IP traffic (note that ARP traffic is not IP
> traffic) or IPv6 traffic, a filter of "ip" will filter out most of the
> traffic received.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
>



-- 
Wei, Lei
Department of Computer Science
University of North Carolina at Chapel Hill,
NC 27599-3175
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Reply via email to