Date: Wed, 8 Sep 2004 11:40:17 -0400 From: "Ed Maste" <emaste@sandvine.com> To: <freebsd-net@FreeBSD.org>, <tcpdump-workers@tcpdump.org> Subject: RE: [PATCH] Add ioctl to disable bpf timestamping Message-ID: <A8535F8D62F3644997E91F4F66E341FC1BA7F6@exchange.sandvine.com>
next in thread | raw e-mail | index | archive | help
BMS wrote: > Here's a patch against 5.3 to add a per-instance switch which allows > the user to specify if captured packets should be timestamped (and, > if so, whether microtime() or the faster but less accurate > getmicrotime() call should be used). We've implemented this internally on 4.7, and have seen quite=20 impressive results. I have a test case that sends 512 byte packets and has the snap length set to get the whole packet. =20 Using microtime(), I am able to get about 120 kpps to my test=20 app. With no timestamp I can get 200 kpps. Without context=20 the absolute numbers don't mean much but the relative=20 improvement is quite impressive. Guy Helmer wrote: > I like the idea (I've been using a hack to call getmicrotime()=20 > in bpf in my own kernels), but I wonder if it would be better as a=20 > sysctl? Then it wouldn't require changes to libpcap and/or tcpdump, > and would work with any application. I think an ioctl is the right way to do it, since you could have=20 multiple BPF listeners with different requirements. For example, realtime inspection like Snort may not care about timestamps while manual inspection with tcpdump would. One way to allow the user to control this behaviour on a per- application basis would be to have libpcap check an env var in=20 order to decide if the ioctl should be set. Ed Maste Sandvine Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A8535F8D62F3644997E91F4F66E341FC1BA7F6>