0

I have a (legacy) specialized packet sniffing application which sniffs the Ethernet using libpcap and analyzes the received data. "The analyzer"

I'm adding another process which reads "data" from a PCI card and I'd like to feed that data into the analyzer. "The sender".

Both the sender and analyzer are on the same host running in different processes.

On the sender side, its easy enough to read the PCI card and send the data over a socket. However, on the receiving side I could either a) modify the existing libpcap code and set an appropriate filter, or b) just open and read a socket

Speed and performance is the important parameter. There are several pairs of sender/receiver processes running and the total across all of them is about 1 Gb/s.

Any insight on which method would be faster, more efficient, or "better" ?

Modifying the libpcap receiver code would be pretty messy, but reading other posts, pcap should be using lots of tricks to improve performance (mmap, etc).

(But wouldn't reading a local socket use those same tricks?)

Thanks!

(system environment is Centos 3.16 kernel)

Danny
  • 2,482
  • 3
  • 34
  • 48
  • *Somebody* has to read the socket, otherwise there is no socket for PCAP to sniff; and even if you contrive that, its receive buffer will fill up and flow control will prevent further transmissions. – user207421 Dec 03 '14 at 21:48
  • An even then, PCAP usually needs the packets to actually flow through the Ethernet adapter in order to be sniffed. A local client connecting to a local server is difficult to sniff. For instance, Wireshark uses libpcap for sniffing, but cannot sniff local traffic until it is echoed through a network router as a gateway interface. Why not just have the "sender" send data directly to the "analyzer" via a pipe instead? I am assuming the "analyzer" is fixed and cannot be changed. – Remy Lebeau Dec 04 '14 at 02:12
  • Thanks for the response. Performance is the main concern. I've read that pipes flow through the filesystem and that will be too slow. I need to maximize the throughput from the sender to the analyzer. – Danny Dec 05 '14 at 15:25
  • Need to maximize the throughput from the sender to the analyzer. (I could modify the analyzer but it is 20 year old C code that has been heavily modified over the years -- so trying to avoid touching that. Adding a "receive from socket" routine might not be too difficult, but should only do that if it will be faster than the existing PCAP code, right?) The goal is not so much 'sniffing'. I'm both sender and receiver with both on localhost. Just need the "best" way to do that. – Danny Dec 05 '14 at 15:33

0 Answers0