Hallo,
Which of the two (BPF or DLPI) will generally give you better performance? Particularly, i am looking to reduce the number of dropped packets. Will DLPI capture even report captured/dropped packet count?
Which piece of string is longer?-) Saying "DLPI" in and of itself isn't quite enough - it could have stuff pushed onto it like a bufmod or even (one of these days I _really_ have to revisit it) a "bpfmod"
However, in broad handwaving terms, when one uses DLPI, the filtering is done in user-space, and there is no aggregation of captured traffic in the kernel. There may be some DLPI or more likely Streams-specific stats (not quite sure what they are) that would imply dropped packets, but promiscuous mode via DLPI will not explicitly tell you.
I would have to guess that on the same box, modulo some implementation screw-up, a "pure" BPF interface would give better performance than DLPI. DLPI though may still give "sufficient" performance.
rick jones - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
