On 4/7/06, J S <[EMAIL PROTECTED]> wrote: > Hello, > > I am developing an active monitoring system, which implements pcap filter. > > The requirement is to send probes with a high monitoring rate e.g. 40 msec > and the probe packets have data of 12 bytes. For each packet sent by the > sender the recipient sends a reply packet. > > > I have noticed a strange behavior of the captured packets. > > > I initially started with 10 probe packets sent by the sender with an > interval of 40 msec between each of them. I used pcap_loop method with a cnt > of -1. to loop for ever . The pcap filter deployed at each end is supposed > to capture 20 packets ( 10 from src to dst and 10 from dst to src and I am > only capturing data packets). However I noticed that the number of packets > captured are quite less (varied from 13 to 17) . but the total size of the > pay load i.e. the sum of the payload for all packets is always 240 (12 x 20 > =240). For some of the packets the size of the payload is 24, or even 48. > > When I increased the monitoring rate the payload size even changed to 108 > bytes and the no of packets changed to 10. However in all cases the total > pay load size of all the packets was exact 240. I know there was no packet > lost , as I can see them through sockets. I think the number of packets > captured equaled to 20 when I changed the rate to 1 sec. > I presume you are using TCP/IP here. TCP/IP combines small packets to make more efficient use of the network. If you use the TCP_NODELAY socket option it won't do this.
> Is there any way I can capture packets efficiently with rate as high as 40 > msec? > This should be no problem at all.... -- Ian McDonald Web: http://wand.net.nz/~iam4 Blog: http://imcdnzl.blogspot.com WAND Network Research Group Department of Computer Science University of Waikato New Zealand - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
