[Wireshark-dev] [Winpcap-users] RE: ring buffer

Gianluca Varenni gianluca.varenni at cacetech.com
Fri May 9 17:20:52 GMT 2008


First of all, I wouldn't play with thread priorities unless absolutely 
needed. Second, are you using two threads just because you expect to have 
better performance using them? If so, I would just try to remove them and 
use one single thread to dump to disk, and see what happens. The perf gain 
that you might achieve using two threads might be completely lost by the 
fact that you need to copy packets and you have synchronization to manage 
the shared queue.

Have a nice day
GV

----- Original Message ----- 
From: "Maria de Fatima Requena" <MariaF.Requena at a-e.es>
To: "Developer support list for Wireshark" <wireshark-dev at wireshark.org>; 
<winpcap-users at winpcap.org>
Sent: Thursday, May 08, 2008 11:22 PM
Subject: RE: [Wireshark-dev] [Winpcap-users] RE: ring buffer


>I have thought about synchronization issues, but all what I have done is 
>give highest priority to 'producer' and defect one for 'consumer'. I think 
>that the worst it can happen like this is leading consumer to starvation, 
>but I also think that this is not happening right now because of CPU 
>scheduling.
>
> On the other hand, I can't take out load from the producer without passing 
> copied packets. Thus, is there any solution to my problem? Wireshark works 
> fine, so there must be a way, isn't there?
>
>
> María de Fátima Requena Cabot (2488)
> +34 91 787 23 00 alhambra-eidos.es
>
>
> -----Mensaje original-----
> De: wireshark-dev-bounces at wireshark.org 
> [mailto:wireshark-dev-bounces at wireshark.org] En nombre de Gianluca Varenni
> Enviado el: viernes, 09 de mayo de 2008 2:03
> Para: winpcap-users at winpcap.org; Developer support list for Wireshark
> CC: winpcap-users at winpcap.org
> Asunto: Re: [Wireshark-dev] [Winpcap-users] RE: ring buffer
>
>
> ----- Original Message ----- 
> From: "Maria de Fatima Requena" <MariaF.Requena at a-e.es>
> To: "Developer support list for Wireshark" <wireshark-dev at wireshark.org>
> Cc: <winpcap-users at winpcap.org>
> Sent: Tuesday, May 06, 2008 11:27 PM
> Subject: [Winpcap-users] RE: [Wireshark-dev] ring buffer
>
>
>> We thought about that, so at packet handler method what I do is pushing
>> packets inside a global queue just to avoid interfering with packets
>> capture. A different thread is in charge of popping packets and manage
>> them. Both threads have same priority at the moment, I don't know if I
>> should change this somehow.
>>
>
> Well, if you are pushing packets in a queue, you are probably copying 
> them,
> which introduced overhead. And since it's a queue shared by 2 thread, you
> surely have some sort of synchronization, which can introduce some further
> overhead.
>
>> I took a look at Wireshark source code, and the read timeout parameter in
>> pcap_open is set to 250 there (not 1000 like savedump example). According
>> to my problem, which choice is the best?
>
> I think that wireshark sets it to 250 ms to have a faster refresh on the
> screen. Putting a timeout of 250 vs 1000ms doesn't affect performance a 
> lot
> in case of high traffic.
>
> Have a nice day
> GV
>
>>
>> María de Fátima Requena Cabot (2488)
>> +34 91 787 23 00 alhambra-eidos.es
>>
>>
>>
>> -----Mensaje original-----
>> De: wireshark-dev-bounces at wireshark.org
>> [mailto:wireshark-dev-bounces at wireshark.org] En nombre de Gianluca 
>> Varenni
>> Enviado el: martes, 06 de mayo de 2008 17:58
>> Para: Developer support list for Wireshark
>> CC: winpcap-users at winpcap.org
>> Asunto: Re: [Wireshark-dev] ring buffer
>>
>> As you can see from the savedump source code, the code to dump packets is
>> minimal. And the sample uses the standard parameters to the pcap
>> functions.
>> I think your application drops packets because it's somewhat slow at
>> processing packets (if you are doing any processing). What are you doing
>> after you receive a packet?
>>
>> Have a nice day
>> GV
>>
>> PS: I CCed the winpcap-users mailing list, as your question is more
>> related
>> to that mailing list rather than wireshark-dev
>>
>> ----- Original Message ----- 
>> From: "Maria de Fatima Requena" <MariaF.Requena at a-e.es>
>> To: "Developer support list for Wireshark" <wireshark-dev at wireshark.org>
>> Sent: Monday, May 05, 2008 11:38 PM
>> Subject: Re: [Wireshark-dev] ring buffer
>>
>>
>> Oh, thanks.
>>
>> I have done two tests, and I think savedump doesnt miss any packets. What
>> can be the problem then? Maybe parameters in pcap functions or buffering?
>>
>>
>> María de Fátima Requena Cabot (2488)
>> +34 91 787 23 00 alhambra-eidos.es
>>
>>
>>
>> -----Mensaje original-----
>> De: wireshark-dev-bounces at wireshark.org
>> [mailto:wireshark-dev-bounces at wireshark.org] En nombre de Gianluca 
>> Varenni
>> Enviado el: lunes, 05 de mayo de 2008 18:17
>> Para: Developer support list for Wireshark
>> Asunto: Re: [Wireshark-dev] ring buffer
>>
>> What do you mean by "quite unreadable"?
>>
>> savedump creates a pcap-compatible file that can be opened with wireshark
>> (it's not a text file, it's pcap file i.e. binary).
>>
>> Have a nice day
>> GV
>>
>> ----- Original Message ----- 
>> From: "Maria de Fatima Requena" <MariaF.Requena at a-e.es>
>> To: "Developer support list for Wireshark" <wireshark-dev at wireshark.org>
>> Sent: Sunday, May 04, 2008 11:34 PM
>> Subject: Re: [Wireshark-dev] ring buffer
>>
>>
>> I have tried it and the content of the capture file (which I have given
>> the
>> name of 'dump.txt') is quite unreadable.
>>
>>
>> María de Fátima Requena Cabot (2488)
>> +34 91 787 23 00 alhambra-eidos.es
>>
>>
>> -----Mensaje original-----
>> De: wireshark-dev-bounces at wireshark.org
>> [mailto:wireshark-dev-bounces at wireshark.org] En nombre de Gianluca 
>> Varenni
>> Enviado el: viernes, 02 de mayo de 2008 22:33
>> Para: Developer support list for Wireshark
>> Asunto: Re: [Wireshark-dev] ring buffer
>>
>> Out of curiosity, does the sample in the WinPcap developer's pack named
>> wpdpack\Examples-pcap\savedump lose packets as well?
>>
>> Have a nice day
>> GV
>>
>>
>> ----- Original Message ----- 
>> From: "Maria de Fatima Requena" <MariaF.Requena at a-e.es>
>> To: "Developer support list for Wireshark" <wireshark-dev at wireshark.org>
>> Sent: Friday, May 02, 2008 4:39 AM
>> Subject: [Wireshark-dev] ring buffer
>>
>>
>> Hi
>>
>> I am implementing a packet sniffer with VS. I posted some time ago
>> problems
>> with losing packets, and someone here suggested me that it could be a
>> problem between disk access and NIC speed.
>>
>> I have done some research, and it seems this doesn't happen to Wireshark
>> because of the use of a ring buffer. Can someone tell me which files
>> (apart
>> from ringbuffer.c) are involved in Wireshark avoiding packet loss? Can I
>> use
>> any configuration of Winpcap function parameters for losing less packets?
>>
>> Thanks in advance
>>
>>
>> María de Fátima Requena Cabot (2488)
>> +34 91 787 23 00 alhambra-eidos.es
>>
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev at wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev at wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev at wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev at wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev at wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev at wireshark.org
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev at wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 



More information about the Winpcap-users mailing list