[Bro-Dev] snaplen and drops

Lothar Braun braun at net.in.tum.de
Thu Nov 3 16:56:18 PDT 2011


Hi,

On Nov 3, 2011, at 2:42 PM, Seth Hall wrote:

> 
> On Nov 3, 2011, at 8:58 AM, Lothar Braun wrote:
> 
>> I had a quick look at the libpcap (1.2.0) and the libdaq (0.6.2) code. It seems to me that both of them perform basically the same steps for packet acquisition.
>> 
>> Both create a socket PF_PACKET socket, both request a shared memory area on the capturing rx_ring. And both perform similar operations during packet acquisition:
> 
> 
> Did you look int the os-daq-modules/daq_afpacket.c file?  DAQ implements the AF_PACKET support there.


Yes, I was comparing 

daq-0.6.2/os-daq-modules/daq_afpacket.c

to 

libpcap-1.2.0/pcap-linux.c

In my opinion, the important parts are:

Setup phase:

socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))

which creates the AF_PACKET socket

setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, some_stuff_stuff);
mmap(...);

which creates and maps a shared buffer between kernel and user space. One important difference could be the default buffer size between kernel and userspace. Libpcap chooses 2 MB. I have no idea what libdaq defaults to.

Receiving packets is also done in a similar way:

As long as there are packets:
	comsume packets
else 
	call poll() on the socket and sleep until new packet arrives

So, if I'm not overlooking something that is important for capturing performance, both implementations should result in similar capture rates.

Lothar

--
Lothar Braun
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18010       Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de 









More information about the bro-dev mailing list