I had time to play around with my packet capturing stuff. Using a snapshot length of 1524 (i added a few bytes just to be safe) seems to give the same performance in both versions, so I can go back and use the packages delivered with Ubuntu. Great!
Btw. I experienced the biggest performance increase by changing the 32bit Lubuntu 11.04 to an 64bit Ubuntu 11.04 on the same machine. All the best, Bernd > From: doktorbe...@hotmail.com > To: tcpdump-workers@lists.tcpdump.org > Subject: Re: [tcpdump-workers] libpcap capture performance drop > Date: Thu, 26 May 2011 09:18:19 +0000 > > > Thanx for that information! > > I think I have used something big like 65535. But using 1514 should be enough > in my case (CRC is dropped). > > I hope I will find some time to play around with the snap_len in the next > weeks and let you know what happens. > > All the best, > Bernd > > > Subject: Re: [tcpdump-workers] libpcap capture performance drop > > From: g...@alum.mit.edu > > Date: Fri, 20 May 2011 12:02:42 -0700 > > To: tcpdump-workers@lists.tcpdump.org > > > > > > On Sep 6, 2010, at 11:45 AM, Doktor Bernd wrote: > > > > > If I recompile with the HAVE_PACKET_RING stuff *not* commented out I get > > > the bad performance as with the packaged versions from Ubuntu. So the > > > performance drop is caused by that part of libpcap. > > > > The packet-ring stuff has fixed-length slots, which means that the number > > of slots is the buffer size divided by the size of the slots. > > > > The slot size is calculated from the snapshot length; what snapshot length > > are you using? If, for example, this is on Ethernet, and your snapshot > > length is > 1518 (1518 just in case the CRC is delivered as part of the > > packet; it is with BPF in Mac OS X, for example, and I think on some other > > BPF platforms, but it might not be on Linux), that might reduce the number > > of ring buffer slots and thus increase the number of packet drops, > > especially if the snapshot length is, for example, the tcpdump/Wireshark > > default of 65535.- > > This is the tcpdump-workers list. > > Visit https://cod.sandelman.ca/ to unsubscribe. > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
