bpf question
I have traffic metering program using bpf, it works fine on relatevly free net but looses about 30% of packets on havy loaded one. Could any body suggest me something? Thank you! -- Dmitry Samersoff, [EMAIL PROTECTED], ICQ:3161705 http://devnull.wplus.net * There will come soft rains ... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bpf question
Dmitry Samersoff wrote: > > I have traffic metering program using bpf, > it works fine on relatevly free net but looses about 30% > of packets on havy loaded one. > > Could any body suggest me something? A much faster processor? What kind of CPU/memory/network interface are you using? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC [EMAIL PROTECTED] http://softweyr.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bpf question
On Wed, May 17, 2000 at 05:51:59PM +0400, Dmitry Samersoff wrote: > I have traffic metering program using bpf, > it works fine on relatevly free net but looses about 30% > of packets on havy loaded one. Are you doing dns lookups? Don't do those and you may fix your problem. > > Could any body suggest me something? > > Thank you! > > -- > Dmitry Samersoff, [EMAIL PROTECTED], ICQ:3161705 > http://devnull.wplus.net > * There will come soft rains ... > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message -- --Travis "Linux is something for Windows haters, BSD is something for Unix lovers" (Heike S., Febr. 98) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bpf question
On 18-May-2000 Travis Cole wrote: > On Wed, May 17, 2000 at 05:51:59PM +0400, Dmitry Samersoff wrote: >> I have traffic metering program using bpf, >> it works fine on relatevly free net but looses about 30% >> of packets on havy loaded one. > > Are you doing dns lookups? Don't do those and you may fix your problem. Thanks for all. I tryed all usual solution (change CPU, bring packet parsing out of reading thread and so on.) and now I have stoped on perforamnce bpf itself. Is there alternate driver or can changing of bpf queue in kernel help, and where I can read about it? Did any body work with raw ethernet and is it helpfull? -- Dmitry Samersoff, [EMAIL PROTECTED], ICQ:3161705 http://devnull.wplus.net * There will come soft rains ... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bpf question
In the last episode (May 19), Dmitry Samersoff said: > On 18-May-2000 Travis Cole wrote: > > On Wed, May 17, 2000 at 05:51:59PM +0400, Dmitry Samersoff wrote: > >> I have traffic metering program using bpf, it works fine on > >> relatevly free net but looses about 30% of packets on havy loaded > >> one. > > > > Are you doing dns lookups? Don't do those and you may fix your problem. > > Thanks for all. I tryed all usual solution (change CPU, bring packet > parsing out of reading thread and so on.) and now Define "heavily loaded". If you just run "tcpdump -n" for a couple minutes and hit ^C, does it report any dropped packets? If it does, then your machine probably isn't fast enough to handle the network load. If I flood my 100mbit network with small packets, and monitor it on a P6/200 with "tcpdump -n", I drop from 1-10% of the packets. If I use "tcpdump -n -w logfile.txt", I drop no packets. -- Dan Nelson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bpf question
On Wed, 17 May 2000, Dmitry Samersoff wrote: > I have traffic metering program using bpf, > it works fine on relatevly free net but looses about 30% > of packets on havy loaded one. Two possibilities come to mind: 1) You machine is too slow (pretty slow), your bus is too slow (ISA), or your cards are too slow (maybe if_ed). 2) You're using multiple processes/rforks to support the application, which results in a full context switch during BPF reads. Instead, use our userland pthreads library. Only you can tell us about (1) -- I can tell you I have successfully snarfed 60+mbps (probably more like 70) off of two 100mbps interfaces simultaneously with the CPU still quite low on FreeBSD 4.0, with a moderately decent machine (400mhzish box). There was no packet loss at all, and I was pulling the whole packet off the wire, not just the header. In this experiment, the limiting factors were the data-pumping machines, not the sniffing machine. Number (2) is interesting -- if I run two tcpdumps at the same time, I see a huge loss of performance, as all copies from kernel to userland happen twice, and many packet deliveries cause both processes to wake up and be scheduled. For high speed sniffing, using only a single process (i.e., just a relatively fast kernel->user1->kernel switch). Preventing a full userland context switch and making sure all BPF data goes through a single process makes a big difference (measurements on a p166). Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bpf question
Dmitry Samersoff wrote: > > I have stoped on perforamnce bpf itself. > > Is there alternate driver or can changing of bpf queue in kernel help, and where > I can read about it? If my memory serves me correctly, Marcus Ranum wrote a white paper on IDS systems in the early days of NFR, in which he said that the existing configuration of BPF was inadequate for capturing all packets on a fast link, and suggested a patch to improve the situation. THe patch involved bumping up a buffer from about 16kb to 256kb. Unfortunately I no longer have the details handy, but if you did a search for BPF/IDS/NFR/Ranum you might find something. -- Dr Graham WheelerE-mail: [EMAIL PROTECTED] Director, Research and Development WWW:http://www.cequrux.com CEQURUX Technologies Phone: +27(21)423-6065 Firewalls/VPN SpecialistsFax:+27(21)424-3656 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: [net] bpf question
On Mon, 22 May 2000, Graham Wheeler wrote: > If my memory serves me correctly, Marcus Ranum wrote a white paper on > IDS systems in the early days of NFR, in which he said that the existing > configuration of BPF was inadequate for capturing all packets on a fast > link, and suggested a patch to improve the situation. THe patch involved > bumping up a buffer from about 16kb to 256kb. Unfortunately I no longer > have the details handy, but if you did a search for BPF/IDS/NFR/Ranum > you might find something. http://www.nfr.net/forum/publications/LISA-97.htm -- Christopher Nielsen (enkhyl|cnielsen)@pobox.com Enkhyl on IRC Space monekys ate my brain: No such file or directory To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: [net] bpf question
i think the buffer is 32K (from BPF_MAXBUFSIZE in bpf.h) and you should be able to bump it up a bit on your box if you wish. it might help. also, maybe we should consider upping the default buffer size in our tree? On Mon, May 22, 2000 at 04:16:56PM -0700, Christopher Nielsen <[EMAIL PROTECTED]> wrote: > On Mon, 22 May 2000, Graham Wheeler wrote: > > > If my memory serves me correctly, Marcus Ranum wrote a white paper on > > IDS systems in the early days of NFR, in which he said that the existing > > configuration of BPF was inadequate for capturing all packets on a fast > > link, and suggested a patch to improve the situation. THe patch involved > > bumping up a buffer from about 16kb to 256kb. Unfortunately I no longer > > have the details handy, but if you did a search for BPF/IDS/NFR/Ranum > > you might find something. > > http://www.nfr.net/forum/publications/LISA-97.htm > > -- > Christopher Nielsen > (enkhyl|cnielsen)@pobox.com > Enkhyl on IRC > Space monekys ate my brain: No such file or directory > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message