Over the last couple months we have developed and deployed into a production environment an application using libpcap, where we sniff upwards of 350Mbps of HTTP traffic arriving via a SPAN. On the whole I am extremely pleased with libpcap in terms of both the ease of implementation and the efficiency/throughput/quality of the packet capture. We are clearly not getting all packets, but there is fairly strong evidence this is mostly due to being too aggressive with the SPAN.
However, one concern I have with libpcap is that it seems that pcap_stats() has never reported a dropped packet. Is this a known problem? We are using libpcap-1.0.0 on CentOS 5.4, which uses the Linux kernel 2.6.18-164.el5, on x86_64. I have also run our application with valgrind, and when I do the volume of packets processed drops significantly for the same traffic. It is not surprising to me that we are forced to handle lower throughput under valgrind, but it is bothersome that I don't seem to have any way for pcap to tell me that it can't keep up. Is this expected behavior, or is there something I am overlooking? Thanks, Jim Lloyd Principal Architect Silver Tail Systems - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
