Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TPACKET_V3 on Linux for most the efficient high speed packet capture #454

Closed
jfree9876543212 opened this issue Sep 2, 2015 · 5 comments
Closed

Comments

@jfree9876543212
Copy link

Porting a tcpdump like packet sniffer program from AIX to Linux 2.6.9-5 using the most recent 1.7.4 Linux pcap download for Linux.

Built a libpcap.a library per http://www.linuxfromscratch.org/blfs/view/svn/basicnet/libpcap.html.

Packet sniffer program calls pcap_loop to obtain the packets per the below example:
pcap_loop(adapterHandle, -1, pktAccumulator, pcap_userdata)

Per web discussions TPACKET_V3 is suppose to provide the most efficient packet capture (lowest packet loss).

Is there anything else (in terms of libpcap configuration/usage) that should be performed/considered to ensure the most efficient high speed packet capture (lowest packet loss) on Linux?

Thanks in advance.

@guyharris
Copy link
Member

Per web discussions TPACKET_V3 is suppose to provide the most efficient packet capture (lowest packet loss).

Then you'll need a kernel newer than 2.6.9, because TPACKET_V3 didn't show up until the 3.2 kernel.

@jfree9876543212
Copy link
Author

Thanks for the info. Question.

If a sniffer program is compiled on a 2.6.9 kernel with 1.7.4 libpcap and then run on a 3.2 kernel or higher will TPACKET_V3 be used?

@guyharris
Copy link
Member

If the program is dynamically linked with libpcap, so that it uses the libpcap installed on the system, and if the system with the 3.2 kernel has a new enough libpcap (i.e., libpcap 1.5.0 or later) as the system libpcap, it should use TPACKET_V3 even if it was compiled with an older version of libpcap.

If the program is statically linked with libpcap 1.7.4, so that it uses the libpcap with which it was built, then, if the 1.7.4 libpcap was built on the system with the 2.6.9 kernel, it won't be able to use the TPACKET_V3 code (neither TPACKET_V3 nor the headers required to use it are defined by 2.6.9's header files), so it won't use TPACKET_V3 on any system.

@jfree9876543212
Copy link
Author

Thanks for your helpful information.

@infrastation
Copy link
Member

For posterity, there is now a FAQ entry about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants