<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1250">
<META content="MSHTML 6.00.2900.2873" name=GENERATOR>
<STYLE>@page Section1 {size: 612.0pt 792.0pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=#ffffff>
<DIV><FONT face="Courier New" size=2>Ian,</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>I haven't tried to replicate the problem on
my machines, but it seems quite strange to me that the DPC time goes to 50%
(probably a HT/multicore/multiprocessor machine and 1 CPU is 100%!?!).
</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Even if there's a wrap-around bug in
WinPcap, I would expect a blue screen, no packets captured or packets completely
dropped, but not a polling at DPC level (as you seem to be experiencing). As
someone pointed out on the ddk newsgroup, it's possible that a buggy nic driver
causes this effect by not properly acknowledging an interrupt and continuously
scheduling DPCs on the system.</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>In any case, I'll try to reproduce the bug
on one of my machines here.</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2>Have a nice day</FONT></DIV>
<DIV><FONT face="Courier New" size=2>GV</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=i.hawley@synectics.co.uk href="mailto:i.hawley@synectics.co.uk">Ian
Hawley</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-team@winpcap.org
href="mailto:winpcap-team@winpcap.org">winpcap-team@winpcap.org</A> ; <A
title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, May 05, 2006 9:27 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-team] High CPU Use
Tracked to DPC Time</DIV>
<DIV><BR></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hello Everyone, apologies if you
receive this email twice!<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The company I work for has been
using winpcap for some time now and we recently noticed an issue which we
thought might be NIC related but could of course be WinPCap related as well
and I thought I’d float it by the mailing list and see if anyone was aware of
an issue.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Basically we recording MPEG2 via a
UDP packet stream from proprietary hardware and after a period of time the
machine enters a state where the CPU usage is around 50+% and 50% if that
usage is spent servicing DPC requests according to perfmon.exe. We
initially felt this might be the NIC we are using but we have since recreated
this by bombarding a different NIC with UDP data through a test application
and this has presented on that NIC also. At present I am wondering
whether it is an OS issue (we are running Windows 2000 Service Pack 4 on many
boxes) but I am also concerned it might be our IBM Boxes and of course, our
capture mechanism uses WinPCap and not Winsock.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">The curious thing about this
collapse of CPU is that it appears to manifest around about the time when the
host machine/application has received 2^32 packets. Knowing the data
rate we are sending to the box we are able to predict quite accurately as to
when the machine will enter this state and it appears to suggest that some
driver or piece of hardware or windows itself is wrapping a 32bit counter and
not handling the wrap correctly.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">We are presently trying various
other network cards, Windows XP and different PCs to see if we can get it to
manifest but I wanted to ask the WinPCap community if there was something that
might go pop with such a large volume of data? By accident we are using
an oldish beta of WinPCap 3.0 but one of our engineers hasn’t seen any
evidence that the release version of 3.0 nor a subsequent version might fix
this. We are however going to set our test apps running on a similar box
using WinPCap 3.1.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Note again that we have detached
our proprietary hardware from the PC and managed to generate the problem
without using that hardware so we are very confident that this has nothing to
do with the issue. The curious thing is that once the CPU has jumped
into this state it does not matter whether the data continues to be fed to the
NIC; if you stop the application that is bombarding the NIC with data, the CPU
continues to be stoically at the 50% mark. Curiously the number DPCs
queued/second appears to drop from what appears normal at circa 2000/second to
around 40/second (this is while data is going into it, I have no metrics for
when there is no data atm). As strange is that if you unplug the NIC
cable, then the CPU drops back to ostensibly zero and the PC is happy
again. Plug the cable back in however and the CPU shoots back to
50%. Unplug the cable from the PC and plug it into a hub with <I><SPAN
style="FONT-STYLE: italic">nothing else attached </SPAN></I>and it is still at
50%.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I would like to emphasize that the
position we are in presently means that we do not know if it is the IBM PCs we
are using, the 3COM NIC, some BIOS setting, the Operating System (Old systems
are running 2K and we are trying to see if it presents on XP) or some setting
we have incorrect somewhere, as unlikely as that might seem. I am not
saying it is definitely a WinPCap issue, but it would be very interesting if
any of the winpcap team could think if a way that it <I><SPAN
style="FONT-STYLE: italic">might</SPAN></I> be.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Any help would be greatly
appreciated.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Kind
Regards<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Ian
Hawley<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P></DIV><BR>
<P><FONT size=2>--<BR>No virus found in this outgoing message.<BR>Checked by
AVG Free Edition.<BR>Version: 7.1.392 / Virus Database: 268.5.4/332 - Release
Date: 04/05/2006<BR></FONT></P>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-team mailing
list<BR>Winpcap-team@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-team<BR></BLOCKQUOTE></BODY></HTML>