> I have written a packet sniffer under C++ using libpcap. > Now I have noticed that about every 3 minutes and 15 seconds the Program > uses 100 % of the CPU. > After about 45 sec the program works normal again and uses only 10% of the > CPU time.
Sure sounds like a problem with your program - as far as I know there is nothing in libpcap which would cause this. > The program is running on a 300 MHz Celeron with 128 MB RAM under Slackware > 8.1. > I also tried it under a 1600 Athlon XP with 512 MB RAM under SuSeE 8.2. > There was the same behaviour, except that it only used 80% of the CPU and it was > back normal faster. > I use libpcap 0.8.1 and pcap_dispatch, which is called in a while statement > of a pthread, with 1 as parameter for number of packets to capture. > I first thought that I made a mistake in the call-back function, but I > replaced my code with return and it did the same thing. > I tested the program with hping2 and sent a packet every 10 ms. The used > filter is quite long and consists of about 150 pairs of IP-Addresses and Ports. A packet every 10 ms is only 100 pps - this should be no problem at all. If I test tcpdump on a FreeBSD/Pentium 700 MHz machine with 100 pps, I see less than 1% load from running tcpdump. I recommend that you test tcpdump on your system with the same filter as your C++ program and see what happens. If you do "tcpdump -nw /dev/null" you have removed all DNS lookups and all writing to the terminal, and should be left with the load from tcpdump/libpcap itself. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
