Thanks, I'll get the latest and report back what I learn. On Sat, Feb 27, 2010 at 5:35 PM, Dustin Spicuzza <[email protected] > wrote:
> Jim Lloyd wrote: > > Over the last couple months we have developed and deployed into a > production > > environment an application using libpcap, where we sniff upwards of > 350Mbps > > of HTTP traffic arriving via a SPAN. On the whole I am extremely pleased > > with libpcap in terms of both the ease of implementation and the > > efficiency/throughput/quality of the packet capture. We are clearly not > > getting all packets, but there is fairly strong evidence this is mostly > due > > to being too aggressive with the SPAN. > > > > However, one concern I have with libpcap is that it seems that > pcap_stats() > > has never reported a dropped packet. Is this a known problem? We are > using > > libpcap-1.0.0 on CentOS 5.4, which uses the Linux kernel 2.6.18-164.el5, > > on x86_64. > > > > I have also run our application with valgrind, and when I do the volume > of > > packets processed drops significantly for the same traffic. It is not > > surprising to me that we are forced to handle lower throughput under > > valgrind, but it is bothersome that I don't seem to have any way for pcap > to > > tell me that it can't keep up. > > > > Is this expected behavior, or is there something I am overlooking? > > > > There are at least two things that measure losses on linux, one on the > socket buffer and one on the interface itself. pcap_stats() only > reported losses on the socket buffer. This problem was fixed in HEAD a > few months ago. > > Not sure why a 1.1.1 release hasn't been done a lot earlier than this, > but libpcap HEAD fixes a lot of bugs. > > Dustin > > > -- > Innovation is just a problem away > > - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
