Menu
I look around to find a documentation on tcpdump internals, but I did not found nothing yet. So my question is how intrusive is tcpdump on a computer. How to evaluate the amount of resources (memory or cpu) dedicated for the analysis of the traffic?
331
Tcpdump and Wireshark are examples of packet sniffers. Tcpdump provides a CLI packet sniffer, and Wireshark provides a feature-rich GUI for sniffing and analyzing packets. By default, tcpdump operates in promiscuous mode. This simply means that all packets reaching a host will be sent to tcpdump for inspection.
While debugging, we noticed a strange effect: When we turn on tcpdump on the gateway within the VS environment on one interface (toward which the traffic is directed), two things happen: The performance of the throughput increased by about 50%
Furthermore, Wireshark helps you to separate streams, such as an entire TCP session's chat. Tcpdump is most commonly used for system-based traditional interfaces. On the other hand, Wireshark maps Additional network interfaces. Tcpdump only provides do a simple analysis of such types of traffic, such as DNS queries.
The tools are tcpdump and wireshark. These are passive tools; they simply listen to all traffic exposed to the system by the networking infrastructure.
As far as I read, tcpdump consume it's kinda variable depending what you're asking.
To see how many resources your tcpdump process consumes just watch system monitor like top Top Manual.
tcpdump output can be considerable if the network traffic your expression defines is high bandwidth; particularly if you are capturing more than the default 68 Bytes of packet content.
Capturing packets, for example, related to a large file transfer or a web server being actively used by hundreds or thousands of clients will produce an overwhelming amount of output. If writing this output to stdout you will probably be unable to enter commands in your terminal, if writing to a file you may exhaust the host’s disk space. In either case tcpdump is also likely to consume a great deal of CPU and memory resources.
To avoid these issues;
- Be very careful when specifying expressions and try to make them as specific as possible.
- Don’t capture during times of heavy traffic/load.
- If you wish to capture entire packet contents, do a test capture only capturing the default 68Bytes first and make a judgement on
whether the system will cope with the full packet content capture.- Where writing to disk, carefully monitor the size of the file and make sure the host in question has the likely disk resources required available, or use the -c parameter to limit the number of packets captured.
- Never use an expression that would capture traffic to or from your remote telnet/SSH/whatever terminal/shell. tcpdump output would generate traffic to your terminal, resulting in further output, resulting in more traffic to your terminal and so on in an infinite and potentially harmful feedback loop.
Origin : Tcpdump - Basics
144
tcpdump is very simple tool which is basically opens special type of socket
socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
and writes to disk everything it gets.
Kernel does all capture and manages special buffer to store packets for tcpdump. If buffer is full packet it just dropped. Buffer is regulated with -B option. Most systems has upper limit for buffer, ~2GB or something like that.
From CPU standpoint you need computation power copy all data 2 or 3 times, this usually is not a problem, if you unable to capture 1GB link you most probable should blame disk speed, not CPU. For 10Gb link it could be CPU problems, and memory bus bandwidth problems, and you may need some optimisations for this.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With