tcpdump mailing list archives

Re: PCAP performance

From: "Hans Klute" <hklute () gmx de>
Date: Thu, 1 Apr 2004 16:11:22 +0200 (MEST)

I have written a packet sniffer under C++ using libpcap.
Now I have noticed that about every 3 minutes and 15 seconds the Program
uses 100 % of the CPU.
After about 45 sec the program works normal again and uses only 10% of

the

CPU time.


Sure sounds like a problem with your program - as far as I know there
is nothing in libpcap which would cause this.

The program is running on a 300 MHz Celeron with 128 MB RAM under

Slackware

8.1. 
I also tried it under a 1600 Athlon XP with 512 MB RAM under SuSeE 8.2.
There was the same behaviour, except that it only used 80% of the CPU

and it was

back normal faster.
I use libpcap 0.8.1 and pcap_dispatch, which is called in a while

statement

of a pthread, with 1 as parameter for number of packets to capture.
I first thought that I made a mistake in the call-back function, but I
replaced my code with return and it did the same thing.
I tested the program with hping2 and sent a packet every 10 ms. The used
filter is quite long and consists of about 150 pairs of IP-Addresses and

Ports.

A packet every 10 ms is only 100 pps - this should be no problem at
all. If I test tcpdump on a FreeBSD/Pentium 700 MHz machine with 100
pps, I see less than 1% load from running tcpdump. I recommend that
you test tcpdump on your system with the same filter as your C++
program and see what happens. If you do "tcpdump -nw /dev/null" you
have removed all DNS lookups and all writing to the terminal, and
should be left with the load from tcpdump/libpcap itself.


It is correct that the performance of tcpdump is better, but it shows the
same behaviour but not that strong.
Also about every 3 minutes the the idle time of the CPU goes down to 62
percent.  It is back at normal within 15 sec (values from top ).
It seems to me that somehow libpcap "hangs" a moment, and because my program
processes whole packets (snaplen 1500) it takes some time and CPU power to
get the queue of packtes empty. 

Hans


Steinar Haug, Nethelp consulting, sthaug () nethelp no


-- 
+++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++
100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

PCAP performance Hans Klute (Apr 01)
- Re: PCAP performance sthaug (Apr 01)
  - Re: PCAP performance Hans Klute (Apr 01)
- Re: PCAP performance Guy Harris (Apr 01)
  - Re: PCAP performance Hans Klute (Apr 02)
    - Re: PCAP performance sthaug (Apr 04)