[tcpdump-workers] Huge latency increase libpcap-1.4.0 -> libpcap-1.5.3

Guy Harris guy at alum.mit.edu
Fri Nov 14 16:42:10 EST 2014

On Nov 14, 2014, at 1:17 PM, Steve Bourland <sbourland at swri.edu> wrote:

> I have some programs that suffered terrible performance degradation when moving from Ubuntu 12.04 to Ubuntu 14.04.

Are those programs capturing and processing network traffic, are they sending packets and expecting to receive a response, or are they doing something else?

Is the performance issue one of high latency or of dropped packets when capturing?

> I then reduced the problem to a program that simple returned ICMP ECHO replies when requests were received.

So that's a program sending packets and expecting to receive a response...

> Under 12.04, this program works very well (with reported responses from ping of under 500 usec), however, if I point the libpcap.so files to the downloaded version 1.5.3 (originally tested with 1.6.2 and problem seen there as well), the response times jump to sometimes over 100 msec.

...and the issue you're talking about there is latency.

What timeout are you specifying with pcap_open_live() or pcap_set_timeout()?

Note that:

For programs passively capturing and processing network traffic, you probably want a long timeout (tcpdump uses 1 second, Wireshark uses 100 ms or so), so that as many packets are delivered per wakeup as possible.

For programs sending packets and expecting a response for each packet, you probably want a *low* timeout (note that 0 is *not* a valid timeout - it may mean "no timeout" in the sense that you won't see packets until the capture mechanism's buffer fills up, which could take an indefinitely long period of time) or, with newer versions of libpcap, you might want to use "immediate mode", instead, in which no timeout-based packet buffering is done - packets are delivered immediately.  pcap_set_immediate_mode() first appeared in libpcap 1.5.0.

More information about the tcpdump-workers mailing list