Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libpcap sniffing time penalty on Linux #472

Closed
stealth opened this issue Jan 7, 2016 · 5 comments
Closed

libpcap sniffing time penalty on Linux #472

stealth opened this issue Jan 7, 2016 · 5 comments

Comments

@stealth
Copy link

stealth commented Jan 7, 2016

Using newest libpcap on linux, I have a delay of ~0.3s before a packet is
returned via pcap_dispatch(). Kernel is 3.14 and the problem is only with packet-ring.
Disabling packet ring via configure has no such delay (verified by strace
using recvfrom()). The problem was once fixed in
feab221 (I think) but seemed to be reintroduced by V3 mmap handling code?

Anyone else experianced such time delays on certain kernel/pcap combinations?

@stealth
Copy link
Author

stealth commented Jan 7, 2016

checking out feab221 indeed "fixes" the problem, but packet ring support seems to
be disabled by configure (and cant be enabled) so recvmsg() is still in place. Maybe the poll()
in the ring case has unacceptable time overhead?

@guyharris
Copy link
Member

I have a delay of ~0.3s before a packet is returned via pcap_dispatch().

Libpcap makes no guarantee, and has never made any guarantee, that packets will be delivered immediately, the instant that they arrive, unless you enable "immediate mode" by calling pcap_set_immediate_mode() between pcap_create() and pcap_activate(). Otherwise, there is no guarantee that packets will be delivered to its caller before the timeout specified in pcap_open_live() or pcap_set_timeout() expires.

If you want immediate packet delivery, use immediate mode; if you want buffering, to deliver multiple packets per wakeup, don't use immediate mode and set the timeout appropriately.

@infrastation
Copy link
Member

There's a man page, there's a recurring question, the only missing element is a FAQ page. Just an idea. :-D

@stealth
Copy link
Author

stealth commented Jan 8, 2016

Thanks for the reply. Using pcap_set_immediate_mode() seems to work with packet-ring.

@stealth stealth closed this as completed Jan 8, 2016
@infrastation
Copy link
Member

For posterity, there is now a FAQ entry about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants