All geek questions in one place

Does libpcap always make a copy of a package?

I am writing a monitoring program for a very high network traffic (HD videos are broadcast over the network). Most packets are very large, and I only want to look at the headers (IP and UDP / TCP only). Of course, I want to avoid the overhead of copying all the data. Does libpcap necessarily give me a copy of the whole package? If so, is there a library that suits my needs?

+6
source share
1 answer

There are two questions here:

  • the one in the header that sounds like it asks if libpcap is copying the package,
  • the one in the body asking if it always copies the entire package.

For the first question:

There is probably at least one copy made by any code using mechanisms on top of which libpcap runs on different operating systems - a copy from the mbufs / skbuff / STREAMS / buffers, regardless of the mechanism buffer. For Linux, when tpacket is not used, skbuff can simply be queued in the receive queue for PF_PACKET , which uses libpcap.

There may be another copy - a copy from this buffer in userland; if libpcap uses a “zero copy” mechanism, such as the Linux tpacket mechanism (which uses libpcap 1.0 and later by default), the second copy fails. This will happen if the zero copy mechanism is not used.

However, if you use pcap_next() or pcap_next_ex() on a Linux system, and the tpacket mechanism is used, a separate copy from the buffer with the memory mapped to a private buffer; this does not happen if you use pcap_dispatch() or pcap_loop() .

In the second question:

What the "snaplen" argument refers to for pcap_open_live() and pcap_set_snaplen() - it allows you to specify that no more than "snaplen" bytes of packet data should be written, which means that no more than so many bytes are copied.

Note that this length includes link layer headers and that they may include metadata headers, such as radiotap headers, which you can get on 802.11 adapters. This header can be of variable length (for example, in 802.11, the 802.11 header has a variable length, and if you get the headers of the radio sources, it is also variable length).

In addition, both IPv4 and TCP headers can have parameters, and IPv6 packets can have extension headers, so the length of the IP and TCP headers can also be variable.

This means that you may need to determine the length of the "worst case" snapshot; there is no way to explicitly say “don’t give me anything from the TCP / UDP header”, you can only say “give me no more than N bytes”.

+6
source

Source: https://habr.com/ru/post/914455/

More articles:


All Articles