Folks,
I'm uncertain on how to proceed. I am hoping that some of the developers could try a patch I submitted to [EMAIL PROTECTED] It (hopefully) only affects the linux component of libpcap. I'm not real clear on the protocol to cause a more or less major change like this. The API remains the same. New functionality is achieved from the use of environment variables. Here is the message I included in the email to patches: I've gone to probably more lengths than necessary to create a patch to the current libpcap that will utilize the CONFIG_PACKET_MMAP linux kernel option (along with CONFIG_PACKET and CONFIG_FILTER). It requires no change to application source code. But, obviously would require a properly configured kernel. Environment variables are used to invoke Alexey Kuznetsov's ring buffer implimentation. Applications that use a shared library (debian tcpdump), will just work. I've installed the shared libraries that this patch also provides on debian (after moving the libpcap libraries from /usr/lib). Done the magic with the environment. And started a debian tcpdump which was darn happy to have 32768, 1514 bytes frames to cushion the network ride. In addition, if you let it run too long, you could find yourself out of disk due to the inclusion of a couple of defines for savefile.c's benefit. Both 3.6 and 3.7 tcpdump work with this library (not to mention snort). See README.ring and source (of course) to see how the PCAP_STATS are created. On low impact networks, PCAP_FRAMES can be set much lower without loss. The keyword 'max' sets it to just that. PCAP_TO_MS changes the "to_ms" value is used to set the interval between stats, or in the case of not pcap_loop based applications return to the application. PCAP_VERBOSE if non-zero will cause the banner to be printed indicating the basic configuration. Example (using patched libpcap-2002.03.18 and vanilla tcpdump-2002.03.18): # export PCAP_STATS=0xfff PCAP_FRAMES=max PCAP_TO_MS=1000 PCAP_VERBOSE=1 # ./tcpdump -i eth0 -w /tmp/file.pcap -s 1514 Kernel filter, protocol 0003, MMAP mode (32768 frames, snapshot 1514), socket type: Raw tcpdump: listening on eth0 S:1016561225.649375 9619 0 9624 0 9626 5411754 5412851 0 27758 169 0 S:1016561226.649515 9198 0 9198 0 9202 5355826 5356689 0 4206 117 0 S:1016561227.649628 9569 0 9578 0 9584 5243072 5233658 0 13775 92 0 ... Thanks, -- Phil Wood, [EMAIL PROTECTED] - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
