<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 9pt;
font-family:±¼¸²
}
--></style>
</head>
<body class='hmmessage'>
Hi, I am Gilbert Lee.<div><br></div><div>while (true)</div><div>{</div><div> capture packet; // (1)</div><div> process packet; // (2)</div><div>}</div><div><br></div><div>While you process the packet, if you would save VoIP traffic packets into audio files such as WAV or MP3,</div><div>there might be some cases of process load.</div><div>For example, CPU(RTP processing, audio codec decoding), disk(writing into file), or any other I/O activities.</div><div>It is important for application to avoid accumulating delay of processing packet time(2).</div><div>Neither kernel buffer size nor NIC card specification are not the problem.</div><div><br></div><div>Regards,</div><div>Gilbert</div><div><br><br><hr id="stopSpelling">From: gianluca.varenni@cacetech.com<br>To: winpcap-users@winpcap.org<br>Date: Fri, 20 Nov 2009 10:05:00 -0800<br>Subject: Re: [Winpcap-users] On win32, how to increase kernel buffer size more than 128<br><br>
<style>
@page Section1
{size:8.5in 11.0in;}
.ExternalClass P.ecxMsoNormal
{font-size:12pt;font-family:'Times New Roman';}
.ExternalClass LI.ecxMsoNormal
{font-size:12pt;font-family:'Times New Roman';}
.ExternalClass DIV.ecxMsoNormal
{font-size:12pt;font-family:'Times New Roman';}
.ExternalClass A:link
{color:blue;text-decoration:underline;}
.ExternalClass SPAN.ecxMsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass A:visited
{color:purple;text-decoration:underline;}
.ExternalClass SPAN.ecxMsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass SPAN.ecxEmailStyle17
{color:windowtext;font-family:Arial;}
.ExternalClass DIV.ecxSection1
{page:Section1;}
</style>
<div>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">128MB is basically a hard limit of
the windows kernel on 32 bit machines (it's actually a bit higher than that).
There is nothing you can do to change it. </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">However, let's step back for
one second. Increasing the kernel buffer size helps only in some very limited
situations i.e. when you average traffic rate is pretty low, you have some short
term spikes of traffic, and your application is not able to cope with these
sudden spikes in a timely fashion. Increasing the kernel buffer size will help
because the packets of the spike will be stored in the buffer while your
application slowly processes them. It's my understanding that in your case you
average traffic rate is just higher (250Mbps). In this case, increasing the
kernel buffer size will not help. It will just delay the instant when you will
start dropping packets (e.g. after 10 seconds from the beginning of the capture
instead of 1second). In this case you need to understand why you are losing
packets:</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"></span></font> </p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">- is your application too slow
to process the packets?</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">- are you dumping to disk? In
this case, the disk can definitely be a bottleneck.</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"></span></font> </p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">Hope it
helps</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">GV</span></font></p></div>
<blockquote style="padding-right:0px;padding-left:5px;margin-left:5px;border-left:#000000 2px solid;margin-right:0px">
<div style="font:10pt arial">----- Original Message ----- </div>
<div style="background:#e4e4e4;font:10pt arial;font-color:black"><b>From:</b>
<a title="santosh.k@knoahsoft.com" href="mailto:santosh.k@knoahsoft.com">Santosh
Karankoti</a> </div>
<div style="font:10pt arial"><b>To:</b> <a title="winpcap-users@winpcap.org" href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a> </div>
<div style="font:10pt arial"><b>Sent:</b> Friday, November 20, 2009 7:54
AM</div>
<div style="font:10pt arial"><b>Subject:</b> [Winpcap-users] On win32,how to
increase kernel buffer size more than 128</div>
<div><br></div>
<div class="ecxSection1">
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">Hi,</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">My machine windows XP (win32) gets
the voice traffic of more than 250 Mbps at NIC from a switch. Basically, my
NIC was at 100 Mbps and the port on the switch is also the same. I am
developing an app to use winpcap lib to read packets from my NIC and write it
to file. I also ran parallel wireshark to check performance of my app. When my
app and wireshark running both at a time on my machine, I could clearly see
that the packets were getting lost. This was at the time when the traffic was
100 Mbps. When my app was trying to read 100 Mbps packets rate I could clearly
see that not all the packets were read and most of the packets were lost by my
app but in wireshark I could see all the packets in sequence, thought the
limit of 100 Mbps is reached, I increased the link to be 1Gig at switch port
and my NIC. Now the 100 Mbps is ok. </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">I increased the load to receive
150 Mbps, which almost was very equal to the wireshark capturing, was fine
there. When I jumped to 200 Mbps and (max) 250 Mbps traffic.
</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">Here I again encountered the
packets are getting lost. Now this time when I compared with wireshark, there
I could see clearly that it did not had some of the sequence packets and it
did not mention or say that the packet segmentation lost.
</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">Might be that the packets are
genuinely lost at the switch or the winpcap library kernel buffer is getting
overflown at this limit. At the switch the port is 1Gig bit, seems like no
issue from the switch port. Found that the winpcap has limit of 128 MB kernel
buffer size in the 32 bit. I ran the same in the 64 bit machine, got the same
issue there also. But its limit there seems to be 128 GB. Not sure whether
these values are correct or not. </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">My next alternate is to try
increasing the winpcap kernel buffer size for 32 bit. I don¡¯t want to try new
things with 64 bit machine. I saw some thread to use
</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">BOOLEAN PacketSetBuff(LPADAPTER
AdapterObject, int dim) function.</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">But where I can I find complete
details of where can I find this function in which file of Winpcap file and
details of the library name, file name, dll name. FYI, my app uses v4.0.2
winpcap. A quick response with some helpful stuff is
appreciable.</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">Thanks,</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial">
SIPSantosh.</span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p>
<p class="ecxMsoNormal"><font face="Arial" size="2"><span style="font-size:10pt;font-family:Arial"> </span></font></p></div>
<BR><hr>
<BR>_______________________________________________<br>Winpcap-users
mailing
list<br>Winpcap-users@winpcap.org<br>https://www.winpcap.org/mailman/listinfo/winpcap-users<br></blockquote></div> </body>
</html>