[ILUG] Re: tcpdump and CONFIG_PACKET modular
Pádraig Brady
P at draigBrady.com
Tue Feb 14 10:08:47 GMT 2006
Niall O Broin wrote:
> On 11 Feb 2006, at 00:08, Niall O Broin wrote:
>
>> I have a SLES box on which I'm trying to run tcpdump. However, when I do
>>
>> tcpdump -i eth0
>>
>> I get
>>
>> tcpdump: socket: Address family not supported by protocol
>>
>> A little research shows that I need a kernel with CONFIG_PACKET
>> enabled to allow tcpdump to work. The kernel on this box has
>> CONFIG_PACKET set to m in the kernel config file.
>>
>> So, what module do I load to enable CONFIG_PACKET? Or what else
>> needs doing?
>
>
> Found it (af_packet) - go back to sleep :-)
Strange core functionality like that is a module?
I wonder is it is it using CONFIG_PACKET_MMAP?
With that method there are no syscalls done per packet,
whereas the traditional method used 2 syscalls per packet!
One to copy the data and the other to timestamp the packet.
af_packet uses a MMAP buffer to synchronise between the
kernel and userspace app.
I wrote a packet capture app 3 years ago now using af_packet,
and I was able to go from 20Kpps to 1.3Mpps captured and analysed
packets with no drops on a 3.2GHz P4 Xeon (mem bandwidth was the
bottleneck).
Pádraig.
More information about the ILUG
mailing list