[tcpdump-workers] Huge latency increase libpcap-1.4.0 -> libpcap-1.5.3

2014-11-14 Thread Steve Bourland
I have some programs that suffered terrible performance degradation when 
moving from Ubuntu 12.04 to Ubuntu 14.04.  Originally I blamed Ubuntu 
14.04 for the performance hit and simply stuck with 12.04, however when I 
updated libpcap to support hardware timestamps, the performance degraded 
again.  I then reduced the problem to a program that simple returned ICMP 
ECHO replies when requests were received.  Under 12.04, this program works 
very well (with reported responses from ping of under 500 usec), however, 
if I point the libpcap.so files to the downloaded version 1.5.3 
(originally tested with 1.6.2 and problem seen there as well), the 
response times jump to sometimes over 100 msec.  Similarly, if I run the 
program on Ubuntu 14.04 I see response times well over 10 msec (and 
actually miss many requests).  If I simply replace the links to 
libpcap.so.1.5.3 with links to libpcap.so.1.4.0 the responses return to 
sub 300 usec.  Is this behavior expected?  Do I need to redo my pcap 
handle setup if moving from libpcap-1.4.0 to libpcap-1.5.3 (or 
libpcap-1.6.2)?  Any guidance is greatly appreciated.  Any troubleshooting 
I can do to help out?

Thanks,
  Steve
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] Huge latency increase libpcap-1.4.0 -> libpcap-1.5.3

2014-11-14 Thread Steve Bourland

On Fri, 14 Nov 2014, Guy Harris wrote:



On Nov 14, 2014, at 1:17 PM, Steve Bourland  wrote:

I have some programs that suffered terrible performance degradation 
when moving from Ubuntu 12.04 to Ubuntu 14.04.


Are those programs capturing and processing network traffic, are they 
sending packets and expecting to receive a response, or are they doing 
something else?


They are essentially servers, listening for specific packets and then 
building and sending the appropriate reply to the client.


Is the performance issue one of high latency or of dropped packets when 
capturing?


Sorry, the main concern I have is high latency, I only saw the dropped 
packets when I started changing the links in /usr/lib/x86_64-linux-gnu/ so 
I am fairly confident I messed something up there.


I then reduced the problem to a program that simple returned ICMP ECHO 
replies when requests were received.


So that's a program sending packets and expecting to receive a 
response...


It simply replaces the stack and replies to ICMP ECHO REQUESTs using 
libpcap.  I did that so I could just use ping as the stimulous and have 
automatic statistics.


Under 12.04, this program works very well (with reported responses from 
ping of under 500 usec), however, if I point the libpcap.so files to 
the downloaded version 1.5.3 (originally tested with 1.6.2 and problem 
seen there as well), the response times jump to sometimes over 100 
msec.


...and the issue you're talking about there is latency.


Yes, sorry, the times reported are reported from the other machine's 
(stock) ping command.


What timeout are you specifying with pcap_open_live() or 
pcap_set_timeout()?


In the test program I am using 1 msec as the timeout for 
pcap_open_live...but then have a selectable fd and am using a select call 
to let me know when a packet arrives.



Note that:

For programs passively capturing and processing network traffic, you 
probably want a long timeout (tcpdump uses 1 second, Wireshark uses 100 
ms or so), so that as many packets are delivered per wakeup as possible.


For programs sending packets and expecting a response for each packet, 
you probably want a *low* timeout (note that 0 is *not* a valid timeout 
- it may mean "no timeout" in the sense that you won't see packets until 
the capture mechanism's buffer fills up, which could take an 
indefinitely long period of time) or, with newer versions of libpcap, 
you might want to use "immediate mode", instead, in which no 
timeout-based packet buffering is done - packets are delivered 
immediately.  pcap_set_immediate_mode() first appeared in libpcap 1.5.0.


This is exactly the information I was hoping you would be able to provide. 
I will try this out and report back with my findings as soon as possible, 
but I expect you have identified where my problem lies.

Thank you very much,
Steve

___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] Huge latency increase libpcap-1.4.0 -> libpcap-1.5.3

2014-11-14 Thread Steve Bourland

On Fri, 14 Nov 2014, Guy Harris wrote:



On Nov 14, 2014, at 2:08 PM, Steve Bourland  wrote:


On Fri, 14 Nov 2014, Guy Harris wrote:


On Nov 14, 2014, at 1:17 PM, Steve Bourland  wrote:

I have some programs that suffered terrible performance degradation 
when moving from Ubuntu 12.04 to Ubuntu 14.04.


Are those programs capturing and processing network traffic, are they 
sending packets and expecting to receive a response, or are they doing 
something else?


They are essentially servers, listening for specific packets and then 
building and sending the appropriate reply to the client.


OK, that's the same case, from the point of view of using libpcap, as 
the client case of sending packets and expecting to receive a response.


Is the performance issue one of high latency or of dropped packets 
when capturing?


Sorry, the main concern I have is high latency,


As I suspected.

What timeout are you specifying with pcap_open_live() or 
pcap_set_timeout()?


In the test program I am using 1 msec as the timeout for 
pcap_open_live...but then have a selectable fd and am using a select 
call to let me know when a packet arrives.


Well, 1 ms is the smallest that the timeout can get.

For PF_PACKET sockets, which are what libpcap uses on Linux, the 
TPACKET_V3 mechanism, which is the default in 1.5.0 and later and which 
works better for the packet-capture case, doesn't work well for the 
request-and-response application case.


I would suggest that:

	if the version of libpcap with which you're building has the 
pcap_set_immediate_mode() API, use pcap_create(), 
pcap_set_immediate_mode(), and pcap_activate() rather than 
pcap_open_live(), as libpcap falls back to TPACKET_V2 in immediate mode;


	otherwise, libpcap also doesn't support TPACKET_V3, so that's not 
an issue - keep using pcap_open_live() (unless you're already using 
pcap_create()/pcap_activate(), which first appeared in 1.0.0).


This may require a configure script, if you're OK with building from 
source different versions of the program for different machines, or some 
dlopen()/dlsym() trickery if you want to make a binary that'll work with 
both libpcap 1.5-and-later and earlier versions.


Initial testing on an Ubuntu 14.04 system showed that the pcap_create, 
pcap_set_immediate_mode, pcap_activate fixed the problems beautifully for 
me.  The simplified icmp "server" went from horrible latencies and losses 
to a mean round trip time of 298 usec (reported by ping on a 14.04 server 
system) and zero losses.  Thanks so much for you quick help, and in terms 
of the full program, I am very fortunate that it will be compiled and 
deployed on a per system basis so I don't need to worry about a generic 
binary and can sort out a configure script or Makefile trickery.  Thanks 
for answering within a few hours a question that has been in the back of 
my mind for months.

___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] tcpdump-workers Digest, Vol 72, Issue 3

2018-07-08 Thread Steve Bourland
If you have the server's certificate, wireshark has the capability to 
decrypt SSL traffic captured with tcpdump, but you must have the 
certificate and the start of the tcp session.


On Sun, 8 Jul 2018, tcpdump-workers-requ...@lists.tcpdump.org wrote:


Send tcpdump-workers mailing list submissions to
tcpdump-workers@lists.tcpdump.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
or, via email, send a message with subject or body 'help' to
tcpdump-workers-requ...@lists.tcpdump.org

You can reach the person managing the list at
tcpdump-workers-ow...@lists.tcpdump.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of tcpdump-workers digest..."


Today's Topics:

  1. Re: Packet capture of SSL traffic (Kaushal Shriyan)


--

Message: 1
Date: Sun, 8 Jul 2018 10:53:40 +0530
From: Kaushal Shriyan 
To: g...@alum.mit.edu
Cc: tcpdump-workers@lists.tcpdump.org
Subject: Re: [tcpdump-workers] Packet capture of SSL traffic
Message-ID:

Content-Type: text/plain; charset="UTF-8"

Thanks! Guy Harris for the explanation. Are there any tools which can decrypt
SSL traffic once i do the packet capture of SSL traffic using tcpdump?

I look forward to hearing from you.

Best Regards,

Kaushal

On Sat, Jul 7, 2018 at 6:23 AM Guy Harris  wrote:


On Jul 5, 2018, at 11:18 AM, Kaushal Shriyan 
wrote:

> Is there a way to run tcpdump to do packet capture on SSL traffic?

Yes.  Plug the machine running tcpdump into a network on which SSL traffic
is being sent, in a fashion that allows it to see that traffic (bearing in
mind, for example, that capturing third-party traffic on a switched network
may be difficult or impossible), and run tcpdump, with the -w flag, so that
it saves the traffic to a file, and either with no filter or with a filter
that matches the SSL traffic.

If you mean "is there a way to run tcpdump so that it can *dissect* SSL
traffic", rather than just being able to put undissected raw packet
contents, including SSL packets, into a file to be read by another program,
the answer is "no" - tcpdump doesn't currently include the ability to
decrypt SSL traffic.

(I.e., there's more to being able to analyze traffic than just being able
to capture it)



--

Subject: Digest Footer

___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


--

End of tcpdump-workers Digest, Vol 72, Issue 3
**

___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


[tcpdump-workers] pcap_inject change?

2018-09-11 Thread Steve Bourland
I am expecting this is a change outside of libpcap given the lack of a 
note in the change log, but we are moving from Ubuntu 16.04 (well, really 
12.04) to 18.04 and have starting having packets flagged for Frame Check 
Sequence errors when captured and analyzed in Wireshark.  I have a simple 
ARP sending program for testing and have found that under Ubuntu 18.04 
(libpcap version 1.8.1) an additional 14 bytes appear to be injected, with 
non-zero data that is triggering the errors in the dissector (ie, if I 
call pcap_inject with size argument 50, 64 bytes are captured, if called 
with size argument 60, 74 are captured).  On matching hardware under 
Ubuntu 16.04 (libpcap 1.7.4), pcap_inject with size 50 results in 60 bytes 
on the wire (expected minimum packet size) and the padding is all zeros. 
Both machines are using the same Intel e1000e driver versions (3.2.6-k).

Has anyone else seen this or have a workaround?

(pcap handle is being created with pcap_open_live vs. pcap_create as this 
is an older program.)


Thanks,
Steve
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] pcap_inject change?

2018-09-11 Thread Steve Bourland

On Tue, 11 Sep 2018, Michael Richardson wrote:


Steve Bourland  wrote:
   > are captured, if called with size argument 60, 74 are captured).  On
   > matching hardware under Ubuntu 16.04 (libpcap 1.7.4), pcap_inject with
   > size 50 results in 60 bytes on the wire (expected minimum packet size)
   > and the padding is all zeros. Both machines are using the same Intel
   > e1000e driver versions (3.2.6-k).  Has anyone else seen this or have a
   > workaround?

It sounds like different kernel packet capture mechanisms are being used.
The pcap_lib_version string will tell you what's compiled in, but not which
one is used. (TPACKET3 vs 2, etc.)

There was no way in earlier versions of libpcap to even know which was used.
I thought we had a way in 1.9, but I can't find it... so I think that I'm
wrong, I'm just remembering that we discussed that we should?

The pcap_lib_version string will tell you what's compiled in, but not which
one is used.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[


I'm a little confused, why would the capture mechanism matter for the 
pcap_inject call?  I am capturing both senders packets on the same machine 
(a single tcpdump call).  I was thinking my next move would be to grab the 
18.04 kernel and install it on the 16.04 machine to see if that triggers 
the behavior on the 16.04 machine.

___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] pcap_inject change?

2018-09-11 Thread Steve Bourland

On Tue, 11 Sep 2018, Michael Richardson wrote:


Steve Bourland  wrote:
   > are captured, if called with size argument 60, 74 are captured).  On
   > matching hardware under Ubuntu 16.04 (libpcap 1.7.4), pcap_inject with
   > size 50 results in 60 bytes on the wire (expected minimum packet size)
   > and the padding is all zeros. Both machines are using the same Intel
   > e1000e driver versions (3.2.6-k).  Has anyone else seen this or have a
   > workaround?

It sounds like different kernel packet capture mechanisms are being used.
The pcap_lib_version string will tell you what's compiled in, but not which
one is used. (TPACKET3 vs 2, etc.)

There was no way in earlier versions of libpcap to even know which was used.
I thought we had a way in 1.9, but I can't find it... so I think that I'm
wrong, I'm just remembering that we discussed that we should?

The pcap_lib_version string will tell you what's compiled in, but not which
one is used.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[




OK, as I expected (feared), when I brought the 16.04 machine from kernel 
4.4.0-109 to 4.15.0-34 it started injecting the "extra" 14 bytes, so it 
looks like it is a change in the kernel handling of the injection.  Does 
anyone have any pointers on how to handle this?


Thanks,
Steve
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


Re: [tcpdump-workers] pcap_inject change?

2018-09-11 Thread Steve Bourland

On Tue, 11 Sep 2018, Michael Richardson wrote:


Steve Bourland  wrote:
   > I'm a little confused, why would the capture mechanism matter for the
   > pcap_inject call?  I am capturing both senders packets on the same
   > machine (a single tcpdump call).  I was thinking my next move would be
   > to grab the 18.04 kernel and install it on the 16.04 machine to see if
   > that triggers the behavior on the 16.04 machine.

I'm sorry, I mis-understood.  I read pcap_inject, then immediately forgot
that point... then understood that you were saying that there was garbage
at the end of the captured packets!

So I have no idea.
What kernel versions are involved?
What does strace on each show for the system call that sends the packet?

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[




No problem, I have found the 16.04 (using 4.4.0-) was "good" 
but once I installed kernel 4.15.0-34 it started misbehaving.  Now 
realized I have a third machine (does have different Intel NIC, but using 
the same driver, so a bit of a difference there) that is "well behaved" 
running 18.04...with kernel 4.15.0-32, so updating it to 4.15.0-34 to see 
if that "ruins" its behavior


Yes, things broke moving from 4.15.0-32 to 4.15.0-34, so it looks like the 
change came with the move from -32 to -33 (the original machines showing 
the problem have the -33 kernel installed).


These kernels are what come with Ubuntu 18.04 from Canonical.  Should I 
file a bug with them or do you have "better pull" and enough information 
to follow up on this?  I am more than happy to continue to follow this, 
but I am going to be an unknown to folks vs. you.


Thanks so much for your help,
Steve
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers