UNIX Socket FAQ

A forum for questions and answers about network programming on Linux and all other Unix-like systems

You are not logged in.

#1 2014-08-09 08:24 AM

tahmoures
Member
Registered: 2014-08-09
Posts: 6

Raw socket sniffer miss packets

Hi all,

I write a sniffer to sniff data from LAN through raw socket in Linux.
As I ran wireshork and my code simultaneously I found out that there some packets that my program miss to receive and also there are some other packets that I received in my program but the wireshark miss them.
The data rate is about 60 Mbps.

Do you have any idea about it?

Thanks.

Last edited by tahmoures (2014-08-09 08:25 AM)

Offline

#2 2014-08-09 03:17 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: Raw socket sniffer miss packets

Are you really using a "raw socket" (AF_INET, SOCK_RAW)?  Or, is it actually a packet socket (AF_PACKET)?  Wireshark will be using libpcap which will be using a packet socket on Linux...  Those will see a lot more traffic than a plain old raw IP socket will...

Assuming you're really using a packet socket as well, the issue might just be that the traffic flow is too much and packets are getting dropped before they can be read by one or the other program...  With you both competing to read the same packets at the same time, one of you is going to end up sleeping while the other runs and reads the packets; by the time the sleeper's next timeslice comes around, its receive buffer may have been filled, in which case some packets will get dropped...  You might try increasing SO_RCVBUF...

Or, is either program using a BPF filter to weed out some types of packets?  If you're only interested in seeing certain kinds, setting a filter is probably a very good thing and will help with the overflow situation by keeping your traffic down to only what you care about seeing...

Offline

#3 2014-08-10 05:16 AM

tahmoures
Member
Registered: 2014-08-09
Posts: 6

Re: Raw socket sniffer miss packets

Offline

#4 2014-08-10 02:38 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: Raw socket sniffer miss packets

Offline

#5 2014-08-11 09:29 AM

tahmoures
Member
Registered: 2014-08-09
Posts: 6

Re: Raw socket sniffer miss packets

Offline

#6 2014-08-11 12:42 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: Raw socket sniffer miss packets

It may just be you can't keep up with traffic flow of that speed...  If my quick rough calculations are correct, even assuming full MTU sized packets, 40Mbps would mean around 3500 packets per second...  Meaning your sniffer needs to read and display 3500 packets every single second...  If it fails to keep up with that rate, it will eventually fill up its receive queue and packets will get dropped...

Other stuff you can try: raise your priority (ie: lower your nice value)...  Maybe even sched_setscheduler(SCHED_FIFO), or similar...  Also, if you have that previously mentioned recvmmsg(), it may very well help you read the incoming packets faster...  But, ultimately if you really can't stand missing any packets, it may be necessary to split things up as previously mentioned, and have one dedicated thread/process that JUST reads the packets as fast as possible (and runs at a high priority), adding them to some sort of in-memory buffer/pool/list, which another thread/process (running at much lower priority) reads the packets from and displays them...  Ideally, you'd want a totally lockless design so that the packet reader can just throw things onto the list of packets without any delays and get back to reading more packets...

Offline

#7 2014-08-12 07:21 AM

tahmoures
Member
Registered: 2014-08-09
Posts: 6

Re: Raw socket sniffer miss packets

Thanks so much.

One other things that I already have problem with is that I need to reach 700 Mega bit per second rate through UDP in the Gigabit mode. But unfortunately now I can just reach to 190 Mega bit per second.
What should I do about this?

Thanks,

Offline

#8 2014-08-12 12:43 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: Raw socket sniffer miss packets

Offline

#9 2014-08-13 07:07 AM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Raw socket sniffer miss packets

Offline

#10 2014-08-13 07:45 AM

tahmoures
Member
Registered: 2014-08-09
Posts: 6

Re: Raw socket sniffer miss packets

Offline

#11 2014-08-13 12:54 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: Raw socket sniffer miss packets

Offline

Board footer

Powered by FluxBB