Re: [tcpdump-workers] libpcap and PF_RING

2012-08-30 Thread Jim Lloyd
On Thu, Aug 30, 2012 at 2:04 PM, Jakub Zawadzki wrote: > On Thu, Aug 30, 2012 at 11:10:02AM -0700, Jim Lloyd wrote: > > I'm confused as to what is required for libpcap to use PF_RING. Most of > the > > hits I have seen while searching for this are ancient and refer to

[tcpdump-workers] libpcap and PF_RING

2012-08-30 Thread Jim Lloyd
I'm confused as to what is required for libpcap to use PF_RING. Most of the hits I have seen while searching for this are ancient and refer to libpcap 0.8. Can anyone please provide a link or summarize what must be done for libpcap to use PF_RING on a relatively modern Linux x86_64 system. I am in

Re: [tcpdump-workers] sniffing HTTP traffic to load-balancer on a

2010-11-01 Thread Jim Lloyd
You want some kind of port mirroring . On Mon, Nov 1, 2010 at 8:57 PM, Andrej van der Zee < andrejvander...@gmail.com> wrote: > Hi, > > I am looking for a solution that sniffs all HTTP traffic to the > load-balancer in a multi-tier web application, but

Re: [tcpdump-workers] libpcap delivering the same packet more than once under high load?

2010-09-14 Thread Jim Lloyd
On Tue, Sep 14, 2010 at 5:48 AM, Alexander Dupuy wrote: > Jim Lloyd writes: > >> These duplicate packets cannot be unique packets that were retransmitted >> between the two machines on the layer 1 GigE link, because if there was a >> significant increase in retransmissio

[tcpdump-workers] libpcap delivering the same packet more than once under high load?

2010-09-10 Thread Jim Lloyd
tatistics for "data" and "dup" are gathered in the worker threads. We do have cross-checks to ensure that the total packet rate seen by the worker threads is consistent with the packet rate seen by the main thread. Thanks, Jim Lloyd Silver Tail Systems - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] pcap_dispatch on linux 2.6 with libpcap 1.1.1

2010-08-25 Thread Jim Lloyd
On Wed, Aug 25, 2010 at 2:14 AM, Guy Harris wrote: > > On Aug 23, 2010, at 3:54 PM, Jim Lloyd wrote: > > > What is the relationship between the socket receive buffer and the > > mmap buffer? Does the mmap buffer replace the socket receive buffer, > > Yes. > C

Re: [tcpdump-workers] pcap_dispatch on linux 2.6 with libpcap 1.1.1

2010-08-23 Thread Jim Lloyd
On Sun, Aug 22, 2010 at 11:44 PM, Guy Harris wrote: > > On Aug 21, 2010, at 3:30 PM, Jim Lloyd wrote: > > > I have tested with the above logic while sniffing traffic on a GigE > ethernet > > NIC (eth0) and on the loopback device (lo). The test machine is an 8-core >

[tcpdump-workers] pcap_dispatch on linux 2.6 with libpcap 1.1.1

2010-08-21 Thread Jim Lloyd
g loopback. However, I wouldn't be surprised if this is due to my TCP reconstruction code failing to handle some rare corner case that handles with real TCP packets but does not happen with loopback. Thanks in advance for any insights. Thanks, Jim Lloyd - This is the tcpdump-workers li

Re: [tcpdump-workers] When will a packet filter be ignored/unused?

2010-03-18 Thread Jim Lloyd
On Thu, Mar 18, 2010 at 7:33 AM, Eloy Paris wrote: > On 03/17/10 18:45, Guy Harris wrote: > > On Mar 17, 2010, at 10:54 AM, Jim Lloyd wrote: >> >> I've done some experimentation and determined that apparently I >>> must call pcap_activate before ca

Re: [tcpdump-workers] When will a packet filter be ignored/unused?

2010-03-17 Thread Jim Lloyd
On Tue, Mar 16, 2010 at 4:40 PM, Jim Lloyd wrote: > I have a working application using libpcap that doesn't always filter as I > expect. The application is designed to sniff http traffic, so the filter can > be as simple as "tcp port 80". However, we allow sniffing multipl

[tcpdump-workers] When will a packet filter be ignored/unused?

2010-03-16 Thread Jim Lloyd
e? No error code is returned when we compile and install the filter. Is there any way to determine if a filter is being ignored? Thanks, Jim Lloyd Silver Tail Systems - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Packet drop counts via pcap_stats()

2010-03-02 Thread Jim Lloyd
On Sat, Feb 27, 2010 at 5:35 PM, Dustin Spicuzza wrote: > Jim Lloyd wrote: > > Over the last couple months we have developed and deployed into a > production > > environment an application using libpcap, where we sniff upwards of > 350Mbps > > of HTTP traffic arriving

Re: [tcpdump-workers] Packet drop counts via pcap_stats()

2010-02-27 Thread Jim Lloyd
Thanks, I'll get the latest and report back what I learn. On Sat, Feb 27, 2010 at 5:35 PM, Dustin Spicuzza wrote: > Jim Lloyd wrote: > > Over the last couple months we have developed and deployed into a > production > > environment an application using libpcap, wh

[tcpdump-workers] Packet drop counts via pcap_stats()

2010-02-27 Thread Jim Lloyd
handle lower throughput under valgrind, but it is bothersome that I don't seem to have any way for pcap to tell me that it can't keep up. Is this expected behavior, or is there something I am overlooking? Thanks, Jim Lloyd Principal Architect Silver Tail Systems - This is the tcpdump-wo