From owner-freebsd-net@FreeBSD.ORG Wed Sep 8 22:13:17 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D611516A4CE for ; Wed, 8 Sep 2004 22:13:17 +0000 (GMT) Received: from exchange.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 546B043D2D for ; Wed, 8 Sep 2004 22:13:17 +0000 (GMT) (envelope-from emaste@sandvine.com) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6556.0 Date: Wed, 8 Sep 2004 11:40:17 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [PATCH] Add ioctl to disable bpf timestamping Thread-Index: AcSVhf6W3LYJw2mITSaLnaY/RoG35gAMDjCQ From: "Ed Maste" To: , Subject: RE: [PATCH] Add ioctl to disable bpf timestamping X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 22:13:17 -0000 BMS wrote: > Here's a patch against 5.3 to add a per-instance switch which allows > the user to specify if captured packets should be timestamped (and, > if so, whether microtime() or the faster but less accurate > getmicrotime() call should be used). We've implemented this internally on 4.7, and have seen quite=20 impressive results. I have a test case that sends 512 byte packets and has the snap length set to get the whole packet. =20 Using microtime(), I am able to get about 120 kpps to my test=20 app. With no timestamp I can get 200 kpps. Without context=20 the absolute numbers don't mean much but the relative=20 improvement is quite impressive. Guy Helmer wrote: > I like the idea (I've been using a hack to call getmicrotime()=20 > in bpf in my own kernels), but I wonder if it would be better as a=20 > sysctl? Then it wouldn't require changes to libpcap and/or tcpdump, > and would work with any application. I think an ioctl is the right way to do it, since you could have=20 multiple BPF listeners with different requirements. For example, realtime inspection like Snort may not care about timestamps while manual inspection with tcpdump would. One way to allow the user to control this behaviour on a per- application basis would be to have libpcap check an env var in=20 order to decide if the ioctl should be set. Ed Maste Sandvine Inc.