I have an application that using libpcap as the mechanism for acquiring packets, and I need to filter out different protocols for different parts of the application. I need to consider optimization as the streams will have a high rate of traffic (100-400 Mbps).
我有一个使用libpcap作为获取数据包的机制的应用程序,我需要为应用程序的不同部分过滤掉不同的协议。我需要考虑优化,因为流将具有高流量(100-400 Mbps)。
What I would really like to be able to do is set up a live capture (no filter), and then selectively filter packets after the capture is made. It doesn't seem like this is possible (the bpf is built into the capture mechanism from what I can tell).
我真正希望能够做的是设置一个实时捕获(没有过滤器),然后在捕获后选择性地过滤数据包。看起来这似乎不可能(bpf内置于我可以告诉的捕获机制中)。
If this indeed is not possible, there are two other ways of doing it (that I have thought of), and I am not sure what would be considered more efficient or 'better':
如果这确实是不可能的,那么还有另外两种方法(我已经想到了),而且我不确定什么会被认为更有效或更好“:
- Make multiple captures each with their own filter
- Make one capture (no filter) that dumps to fifos, and have other captures read from those fifo (with their own filters)
使用自己的过滤器进行多次捕获
进行一次转储(无过滤器)转储到fifos,并从这些fifo读取其他捕获(使用自己的过滤器)
1 个解决方案
#1
1
The fifo-approach is probably not very efficient as it involves copying lots and lots of memory from A to B (e.g. 400mbps buffered - they must not block each other - to four fifos, each having a different filter, deciding to throw away 99.99% of accumulated 1600mbps). Multiple captures on the other hand only trigger action in userland if there is actually stuff to do. The filtering is (usually) done in the kernel.
fifo方法可能不是非常有效,因为它涉及从A到B复制大量和大量的内存(例如400mbps缓冲 - 它们不能相互阻塞 - 到四个FIFO,每个都有不同的过滤器,决定扔掉99.99%累计1600mbps)。另一方面,如果实际存在要做的事情,则多次捕获仅触发用户空间中的操作。过滤(通常)在内核中完成。
A third approach is to use libwireshark, the lower portion of Wireshark, to do filtering (and wtap for capturing). This involves quite some code overhead as libwireshark is not exactly in perfect shape for third party use outside of Wireshark.
However this does come with the ability to use Wireshark's "Display Filters", which are compiled to bytecode and reasonably efficient. Many filters may be compiled once and may look at the same frame one after another. You may be able to "stack" filters as e.g. "ip.tcp" implies "ip".
This becomes quite efficient if you are able to generate the most common element of all filters and place it as a BPF-filter on your capturing device. The display-filters then only look at data that might interest at least one of them.
第三种方法是使用Wireshark下部的libwireshark进行过滤(以及用于捕获的wtap)。这涉及相当多的代码开销,因为libwireshark并不完全适合Wireshark之外的第三方使用。然而,这确实能够使用Wireshark的“显示过滤器”,它被编译为字节码并且相当有效。许多过滤器可以编译一次,并且可以一个接一个地查看同一帧。您可以将“过滤”过滤器视为例如“ip.tcp”表示“ip”。如果您能够生成所有过滤器中最常见的元素并将其作为BPF过滤器放置在捕获设备上,这将变得非常有效。然后,显示过滤器仅查看至少其中一个可能感兴趣的数据。
#1
1
The fifo-approach is probably not very efficient as it involves copying lots and lots of memory from A to B (e.g. 400mbps buffered - they must not block each other - to four fifos, each having a different filter, deciding to throw away 99.99% of accumulated 1600mbps). Multiple captures on the other hand only trigger action in userland if there is actually stuff to do. The filtering is (usually) done in the kernel.
fifo方法可能不是非常有效,因为它涉及从A到B复制大量和大量的内存(例如400mbps缓冲 - 它们不能相互阻塞 - 到四个FIFO,每个都有不同的过滤器,决定扔掉99.99%累计1600mbps)。另一方面,如果实际存在要做的事情,则多次捕获仅触发用户空间中的操作。过滤(通常)在内核中完成。
A third approach is to use libwireshark, the lower portion of Wireshark, to do filtering (and wtap for capturing). This involves quite some code overhead as libwireshark is not exactly in perfect shape for third party use outside of Wireshark.
However this does come with the ability to use Wireshark's "Display Filters", which are compiled to bytecode and reasonably efficient. Many filters may be compiled once and may look at the same frame one after another. You may be able to "stack" filters as e.g. "ip.tcp" implies "ip".
This becomes quite efficient if you are able to generate the most common element of all filters and place it as a BPF-filter on your capturing device. The display-filters then only look at data that might interest at least one of them.
第三种方法是使用Wireshark下部的libwireshark进行过滤(以及用于捕获的wtap)。这涉及相当多的代码开销,因为libwireshark并不完全适合Wireshark之外的第三方使用。然而,这确实能够使用Wireshark的“显示过滤器”,它被编译为字节码并且相当有效。许多过滤器可以编译一次,并且可以一个接一个地查看同一帧。您可以将“过滤”过滤器视为例如“ip.tcp”表示“ip”。如果您能够生成所有过滤器中最常见的元素并将其作为BPF过滤器放置在捕获设备上,这将变得非常有效。然后,显示过滤器仅查看至少其中一个可能感兴趣的数据。