On Dec 16, 2011, at 1:51 PM, Jon Schipp wrote:
> Do the recent tcpdump releases use the shared memory functionality of
> the newer libpcap libraries?
> Basically, if I download the latest tcpdump and the latest libpcap and
> compile them on FreeBSD and on Linux, and then run the binary, will I
> get the speed advantages of mmap()?
There are no APIs in libpcap that are required in order to use the
memory-mapped capture mechanisms, so neither tcpdump nor any other program that
captures traffic needs to be changed in order to use that functionality, so
*all* tcpdump releases, if either
1) compiled and then linked with a static-library version of libpcap
that uses the memory-mapped capture mechanism
or
2) compiled and linked with a shared-library version of libpcap and
then run on a system with a shared-library version of libpcap that uses the
memory-mapped capture mechaism, *regardless* of whether the shared-library
version with which it's linked supports the memory-mapped capture mechanism
will use it.
> Or are there other things that I have to do, tcpdump/libpcap or maybe
> OS related?
Well, one think you need to do is to have an OS version where the kernel
supports the memory-mapped capture mechanism.
For FreeBSD, that means FreeBSD 8.0 or later. You will also have to enable the
memory-mapped capture mechanism, as it's disabled by default; use the sysctl
command to set net.bpf.zerocopy_enable to 1. If you have FreeBSD 8.0 or later,
the version of libpcap that comes with the system supports the memory-mapped
capture mechanism; you would not have to recompile libpcap or tcpdump in order
to use it - you would only need to set the net.bpf.zerocopy_enable sysctl
variable to 1.
For Linux, any 2.6 kernel and, I think, any 2.4 kernel should have that.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
