> > I have written a packet sniffer under C++ using libpcap. > > Now I have noticed that about every 3 minutes and 15 seconds the Program > > uses 100 % of the CPU. > > After about 45 sec the program works normal again and uses only 10% of > the > > CPU time. > > Sure sounds like a problem with your program - as far as I know there > is nothing in libpcap which would cause this. > > > The program is running on a 300 MHz Celeron with 128 MB RAM under > Slackware > > 8.1. > > I also tried it under a 1600 Athlon XP with 512 MB RAM under SuSeE 8.2. > > There was the same behaviour, except that it only used 80% of the CPU > and it was > > back normal faster. > > I use libpcap 0.8.1 and pcap_dispatch, which is called in a while > statement > > of a pthread, with 1 as parameter for number of packets to capture. > > I first thought that I made a mistake in the call-back function, but I > > replaced my code with return and it did the same thing. > > I tested the program with hping2 and sent a packet every 10 ms. The used > > filter is quite long and consists of about 150 pairs of IP-Addresses and > Ports. > > A packet every 10 ms is only 100 pps - this should be no problem at > all. If I test tcpdump on a FreeBSD/Pentium 700 MHz machine with 100 > pps, I see less than 1% load from running tcpdump. I recommend that > you test tcpdump on your system with the same filter as your C++ > program and see what happens. If you do "tcpdump -nw /dev/null" you > have removed all DNS lookups and all writing to the terminal, and > should be left with the load from tcpdump/libpcap itself.
It is correct that the performance of tcpdump is better, but it shows the same behaviour but not that strong. Also about every 3 minutes the the idle time of the CPU goes down to 62 percent. It is back at normal within 15 sec (values from top ). It seems to me that somehow libpcap "hangs" a moment, and because my program processes whole packets (snaplen 1500) it takes some time and CPU power to get the queue of packtes empty. Hans > > Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] > -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
