Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Have tshark discard state when doing ring-buffer capture

Date Prev · Date Next · Thread Prev · Thread Next
From: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date: Tue, 1 Jul 2014 07:51:14 +0000

Hi,

This is perhaps a better place to have the discussion of the implementation, copying info from gerrit, etc here:

 

Anders wrote:

>I suppose tshark epan new calls the dissector initial routines clearing all hashtables etc,during heavy load that might trigger packet loss I guess.

 

Evan wrote:

 
>As Anders correctly pointed out in I7d8f84b2e, constantly resetting state will
>turn init_dissection into a bit of a hot path. Especially as we will already
>bear the overhead of switching files, we don't want to fall any further behind
>than we have to.
>This change includes three unrelated optimizations that reduce the cost of
>init_dissection by about 40% as measured by callgrind:
> - only initialize ares/ADNS if that preference is enabled (this of course only
>   applies if you specify -n to tshark or otherwise disable the preference)
> - use memcpy instead of a loop in sigcomp UDVM init
> - use memcpy instead of a loop in bootp dissector
( Commited https://code.wireshark.org/review/2738 )

>The only remaining obvious hot spot in this path is reassembly_table_init since
>it is called by so many dissectors. Suggestions (perhaps to get rid of the
>GPtrArray) welcome.

 

Anders wrote:

 

>Could switching of files be made more efficient by preopening the next ring buffer file and delegate closing and opening next file to a new tread?

 

Another possibility that might boost performance is to remove reassembled data from the hash table and store it in per-packet-data reducing the size of the hash table and hopefully making lookups faster as well as destroying the hash table  (wmem hash tables?) or use

g_hash_table_remove_all ()

 

Did you profile ring buffer switchover? ( how?).

 

So in general I think you are right this *is* the expected behavior of tshark with ring buffers, but I fear that it might not be as useful as expected under heavy traffic because of potential packet drops during file switchover of files unless we can make it more efficient. I have no data verifying that this is the case so if we could device a measurement that would be great.

 

Regards

Anders

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Evan Huus
Sent: den 30 juni 2014 23:19
To: Wireshark Developer List
Subject: [Wireshark-dev] Have tshark discard state when doing ring-buffer capture

 

I was kind of expecting this change to generate more controversy, so I'll give it another few days but if nobody objects I'll merge it then.

I don't currently plan on putting it in 1.12 so that we have a full dev cycle to work out any subtle implications, but I know it's a fairly heavily-requested feature so I'm willing to entertain the notion if somebody wants to argue for it.

Evan