From owner-freebsd-net@FreeBSD.ORG Sun Dec 9 16:41:55 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C22A316A419 for ; Sun, 9 Dec 2007 16:41:55 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 9AA2F13C45A for ; Sun, 9 Dec 2007 16:41:55 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 3D02146CB6; Sun, 9 Dec 2007 11:41:55 -0500 (EST) Date: Sun, 9 Dec 2007 16:41:55 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Peter Wood In-Reply-To: <475A735F.8000907@alastria.net> Message-ID: <20071209163352.V71725@fledge.watson.org> References: <4755EFDD.8070609@isc.org> <20071205021851.V87930@fledge.watson.org> <20071205093244.U87930@fledge.watson.org> <20071205094657.P87930@fledge.watson.org> <475A735F.8000907@alastria.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: Aggregating many ports into one for tcpdump server. (also sampling before libpcap) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Dec 2007 16:41:55 -0000 On Sat, 8 Dec 2007, Peter Wood wrote: > I'd prefer to use sampling rather then just accepting kernel droped packets > to ensure fair selection over a time period, rather then only collecting the > start of that period and then nothing else. > > I'd be willing to look into implementing that perhaps in the same way that > Juniper Networks do for their sampling, ie. a maximum number of packets to > be sampled in a second, how often to sample in terms of packets and then > when sampling how many packets it should sample. Something that would be quite easy to do is add a "select 1 in (n) matched packets for sampling", and just adding a counter to each BPF device that goes up with each seen (but not necessarily sampled) packet. You could imagine more complex solutions that were more capable. Regardless, I suspect that the mechanism to implement a sampling scheme for BPF would be pretty straight forward and I'd be happy to lend a hand. If you take a look at points in the bpf.c that call bpf_filter() and catchpacket(), that should get you the points of interest for such a decision. For simple rate control, I suppose one wants to do the sampling before calling the BPF filter to avoid burning CPU processing the filter for packets you won't accept anyway, in as much as that doesn't modify the semantics of the sampling and filtering models. Robert N M Watson Computer Laboratory University of Cambridge