Libpcap or PF_PACKET?

Question

Libpcap or PF_PACKET?

I understand that this question has been discussed many times: Should I use libpcap or PF_PACKET (socket for data transfer) to capture packets?

Based on my research, libpcap is offered by PF_PACKET almost everywhere, mainly because of its portability.

However, for my current project (which is used in the production system) portability is not a problem, all I care about is performance (speed, packet loss rate). My program runs on CentOS 5.10 (kernel 2.6.18) As far as I know, libpcap puts a timestamp for each package. Does this mean a big loss in performance? Are there other factors that make libpcap unusable on a high speed network?

+4

linux linux-kernel network-programming libpcap

user2975098 Oct 14 '14 at 15:45

source share

1 answer

user862787 · Accepted Answer · 2014-10-14T19:09:33+0000

As far as I know, libpcap puts a timestamp for each package.

No, libpcap gets the timestamp for a package from the OS package capture mechanism it uses - which on Linux ...

... Sockets PF_PACKET.

Linux kernel time marks incoming packets. PF_PACKET sockets have several ways to read from them:

gets a standard socket, for which you can either get a timestamp with an explicit ioctl (so that you can’t extract it into the user area, but you cannot avoid the time of the kernel packing the package in the first place; libpcap, when using a regular socket, always asks time stamp);
, .

Libpcap , ; , , , . .

Libpcap or PF_PACKET?

More articles: