Hi, I am using linux on my device. I do not want to have to copy all the packets from kernel space to user space for performance reasons. I am not very familiar with the memory-mapped access capture mechanism. Would this avoid the performance hit of context switch memory spaces? Can you point me to some resources on that particular capture mechanism?
Thanks -D On Mon, Apr 6, 2009 at 4:53 PM, Guy Harris <g...@alum.mit.edu> wrote: > > On Apr 6, 2009, at 2:52 PM, Diego Valverde wrote: > > Is there a way to specify 1 out of every N packets sampling using an >> existing filter combination? >> > > No. The filtering mechanism was created in order to filter based on packet > content, and that's all it supports checking. > > if not where should I look into the code in order to extend the filtering >> functionally for my particular needs? >> > > Nowhere - as indicated, the filtering mechanism checks only packet > contents. > > I'm assuming the embedded device is running an operating system such as > Linux, so that packets have to be copied from kernel space to user space > (unless libpcap is using the memory-mapped access mechanism on Linux or > FreeBSD) to be delivered to libpcap. > > If you don't care whether packets not being sampled are copied from kernel > space to user space (or if you're running on a version of Linux or FreeBSD > with a memory-mapped capture interface), you could just do the sampling in > the code that reads from libpcap. > > If you do care, you'll have to implement the filtering in the kernel. > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
