Board index Linux Networking

Pcap and packets

Pcap and packets

Post by lancer6.. » Tue, 11 Nov 2008 15:42:17



Hi,
I'm new to the world of networking, and I have some questions about
packets and pcap in general. I'm running Red Hat Enterprise Linux 5 on
a PC with QuadCore processor with 4GB RAM.

I'm using tcpreplay to send 780122 packets from a 500 MB pcap file
from a server to my PC, and I'm using pcap_stats() to look at the
statistics of packets received.

My program contains the pcap_loop function that calls the callback
function, which in turn calls another function, FunctionA that
processes the incoming packets. The pcap_stat function is called when
I terminate the program using Ctrl-C, and it'll display the number of
packets dropped and received. In my callback function, I have a
counter to keep track of the packets that enter the callback
function.

I'll like to know what are the significance of ps.recv and ps.drop?
Are they statistics of packets received by the NIC? Does ps.drop count
packets dropped before pcap_loop is even called, or when
callback_function is called, or when FunctionA is called? What about
ps.recv? Why do my counter and ps.recv show different values? I
noticed that when I receive packets from the pcap file, I always get
twice the number of packets (shown by ps.recv). For example, the pcap
file contains 780122 packets, and for some reason I can only receive a
maximum of 780049 packets, and ps.recv will return 1560098. This is
the same for other pcap files. Why is that?

Also, when I send just one 500 MB pcap file to my PC at a relatively
high speed (~700 Mbps), I encounter no dropped packets. However, if I
loop the pcap file multiple times at the same speed, I'll get dropped
packets. Is this a sign of running out of buffer space (kernel, NIC?),
or is FunctionA simply not fast enough? Would a low CPU utilization
rate coupled with dropped packets point more towards a lack of buffer
space?

I've also come across rmem_default and rmem_max. Are they parameters
for setting the (kernel?) buffer space for the packets? What is a good
size for rmem_default and rmem_max if I'm receiving packets at speeds
over 700 Mbps?

Finally, are there any tutorials online that would explain how a
packet is transferred from wire to the function where it's processed,
and why packets are dropped?

Thank you.

Regards,
Rayne

 
 
 
Top

1. Pcap/Libnet Interaction - Can I make pcap ignore locally generated frames?

Hello,

I am building a simple bridge with libpcap and libnet as a quick hack
solution to another problem.

A problem I've encountered is that when a frame is received by libpcap
on interface A and retransmitted with libnet (using PF_PACKET) on
interface B, libpcap "hears" the same same frame on interface B
resulting in a loop.

Is there any way to prevent locally generated traffic from coming back
up in libpcap? Clearly the source ethernet address is of no help as this
is a bridge.

Any suggestions would be appreciated. I'm using libnet 1.0.1b, libpcap
0.4, and kernel 2.2.12.

mhe

--
Michael H. Evangelista

2. SCO binaries

3. blocking packets which come we get from pcap application

4. Linux on NEC Versa ??

5. function in pcap for sending packet to remote host?

6. What does Vatican use?

7. pcap - can it be used to send packets

8. Linux as a small LAN router

9. Simple question about Packet Capture Library(pcap/libpcap)

10. pcap filters outgoing packets

11. Matrox Mystique ands X.

12. pcap problem.

13. pcap


All times are UTC
Board index