使用pcap与原始套接字捕获性能 [英] Capturing performance with pcap vs raw socket

问题描述

在捕获网络流量以进行调试时，似乎有两种常用方法:

When capturing network traffic for debugging, there seem to be two common approaches:

1. 使用原始套接字.

1. Use a raw socket.

使用libpcap.

在性能方面，这两种方法之间有很大区别吗? libpcap似乎是一种很好的兼容方式，可以监听真实的网络连接或重放某些固定数据，但是该功能集会带来性能上的损失吗?

Performance-wise, is there much difference between these two approaches? libpcap seems a nice compatible way to listen to a real network connection or to replay some canned data, but does that feature set come with a performance hit?

推荐答案

答案旨在解释有关libpcap的更多信息.

The answer is intended to explain more about the libpcap.

libpcap使用PF_PACKET捕获接口上的数据包.请参考以下链接. https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt

libpcap uses the PF_PACKET to capture packets on an interface. Refer to the following link. https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt

通过上面的链接

在Linux 2.4/2.6/3.x中，如果未启用PACKET_MMAP，则捕获过程非常复杂. 效率低下.它使用非常有限的缓冲区，并且需要一个系统调用 捕获每个数据包，如果要获取数据包的时间戳，则需要两个数据包 (就像libpcap总是一样). 另一方面，PACKET_MMAP非常有效. PACKET_MMAP提供大小 映射到用户空间的可配置循环缓冲区，可用于 发送或接收数据包.这样，读取数据包只需要等待它们， 大多数情况下，无需发出单个系统调用.关于 传输，可以通过一个系统调用发送多个数据包以获取 最高带宽.通过在内核和用户之间使用共享缓冲区 还具有最小化数据包副本的优势.

In Linux 2.4/2.6/3.x if PACKET_MMAP is not enabled, the capture process is very inefficient. It uses very limited buffers and requires one system call to capture each packet, it requires two if you want to get packet's timestamp (like libpcap always does). In the other hand PACKET_MMAP is very efficient. PACKET_MMAP provides a size  configurable circular buffer mapped in user space that can be used to either send or receive packets. This way reading packets just needs to wait for them, most of the time there is no need to issue a single system call. Concerning transmission, multiple packets can be sent through one system call to get the highest bandwidth. By using a shared buffer between the kernel and the user also has the benefit of minimizing packet copies.

根据使用的PF_PACKET实现，性能改进可能会有所不同.

performance improvement may vary depending on PF_PACKET implementation is used. 

来自 https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt -

据说TPACKET_V3具有以下优点: *)减少15-20％的CPU使用率 *)数据包捕获率提高约20％

It is said that TPACKET_V3 brings the following benefits:  *) ~15 - 20% reduction in CPU-usage  *) ~20% increase in packet capture rate

使用libpcap的缺点-

The downside of using libpcap -

1. 如果应用程序需要保留数据包，则可能需要 传入数据包的副本.

1. If an application needs to hold the packet then it may need to make a copy of the incoming packet.

请参阅pcap_next_ex的联机帮助页.

Refer to manpage of pcap_next_ex.

pcap_next_ex()读取下一个数据包并返回成功/失败指示.如果读取数据包没有问题，则指针 由pkt_header参数指向的指针设置为指向 数据包的pcap_pkthdr结构，以及指向的指针 pkt_data参数设置为指向数据包中的数据.这 struct pcap_pkthdr和数据包数据不会被释放 呼叫者，并且不能保证在下一次呼叫后仍然有效 pcap_next_ex()，pcap_next()，pcap_loop()或pcap_dispatch();如果 代码需要它们保持有效，必须复制它们.

pcap_next_ex() reads the next packet and returns a success/failure indication. If the packet was read without problems, the pointer pointed to by the pkt_header argument is set to point to the pcap_pkthdr struct for the packet, and the pointer pointed to by the pkt_data argument is set to point to the data in the packet. The struct pcap_pkthdr and the packet data are not to be freed by the caller, and are not guaranteed to be valid after the next call to pcap_next_ex(), pcap_next(), pcap_loop(), or pcap_dispatch(); if the code needs them to remain valid, it must make a copy of them.

如果应用程序仅对传入的内容感兴趣，则会导致性能损失 包.

Performance penalty if application only interested in incoming packets.

PF_PACKET在内核中充当分路器，即所有传入和传出数据包都传递到PF_SOCKET.这将导致对所有传出数据包的packet_rcv进行昂贵的调用.由于libpcap使用PF_PACKET，因此libpcap可以捕获所有传入和传出数据包. 如果应用程序仅对传入数据包感兴趣，则可以通过在libpcap句柄上设置pcap_setdirection来丢弃传出数据包. libpcap通过检查数据包元数据上的标志在内部丢弃传出数据包. 因此，从本质上讲，libpcap仍然可以看到传出的数据包，但以后只能将其丢弃.对于仅对传入数据包感兴趣的应用程序，这是性能的损失.

PF_PACKET works as taps in the kernel i.e. all the incoming and outgoing packets are delivered to PF_SOCKET.  Which results in an expensive call to packet_rcv for all the outgoing packets.  Since libpcap uses the PF_PACKET, so libpcap can capture all the incoming as well outgoing packets. if application is only interested in incoming packets then outgoing packets can be discarded by setting pcap_setdirection on the libpcap handle. libpcap internally discards the outgoing packets by checking the flags on the packet metadata. So in essence, outgoing packets are still seen by the libpcap but only to be discarded later. This is performance penalty for the application which is interested in incoming packets only.

这篇关于使用pcap与原始套接字捕获性能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！