Here's a small bit of perl to create incrementally longer tcpdump filter
files. As simple as they are, the filter files generated should give an
indication of the best performance that can be expected with a given
filter length. More complex filters would undoubtedly result in poorer
performance.
I've found that earlier versions ran into memory management issues
when compiling large filtersets (over 100 lines), whereas v3.7.1/0.71 is
much better, but compile times become unacceptable over a few hundred.
The following test was conducted on a PIII/1GHz, 1GB SDRAM, 0 byte
dumpfile (pcap file header only):
[gbakos@pils gbakos]$ ./lengthtest.pl 500 deletethis.filter
[gbakos@pils gbakos]$ time /usr/sbin/tcpdump -r pcaptestfile -F deletethis.filter
real 0m58.399s
user 0m58.310s
sys 0m0.090s
<--------cut here-------->
#!/usr/bin/perl -w
# lengthtest.pl
#
# A simple utility to stress test tcpdump filter complilation/parsing.
# By lengthening the filter size, eventually we may eventually exhaust some
# finite resource (i.e. ram, cpu, time left before second coming, etc.) needed
# to evaluate the expression.
# 04/12/2002 [EMAIL PROTECTED]
my ($filtfile, $port, $num);
die "Usage: $0 [number of lines] [output file]\n" unless ((@ARGV + 0) == 2);
$num = $ARGV[0];
$filtfile = $ARGV[1];
open FILTS, "> $filtfile";
print FILTS "port 1\n";
for ($port = 2 ; $port <= $num ; $port++ ) {
print FILTS "or port $port\n";
}
close FILTS;
<-------cut here------>
On Tue, 10 Dec 2002 07:57:57 -0800
"Keplinger, Michael A" <[EMAIL PROTECTED]> wrote:
> Thanks for the responses thus far.
>
> We are using Libpcap version 0.4
> and tcpdump v3.4
>
> which is the same that Guy Harris had when his crashed. It may be difficult to
>upgrade due to our Customer (contract gig). i'll see if I can work around it.
>
> Thanks
>
> -----Original Message-----
> From: Jefferson Ogata [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 09, 2002 16:37
> To: [EMAIL PROTECTED]
> Subject: Re: [tcpdump-workers] Max lines in filter
>
>
> Keplinger, Michael A wrote:
> > Does anybody know if there is a maximum number of lines that you can
> > have in a tcpdump filter, I am getting segmentation fault when the
> > number of lines approaches 100.
>
> What version of tcpdump and libpcap? There is an bug in older versions of the
> code generator.
>
> --
> Jefferson Ogata <[EMAIL PROTECTED]>
> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
>
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
--
George Bakos
Institute for Security Technology Studies
Dartmouth College
[EMAIL PROTECTED]
voice 603-646-0665
fax 603-646-0666
Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
