Hi,
I am writing a simple application that
would passively monitor H323 sessions. This application
will sit in the network (on LINUX platform),
capture H323 packets, decodes it and send useful information to
another
application on the network.
I have modeled this application in a
very simple way. There are two processes, one for capturing and other
for
decoding H323 packets. There is
a loopback socket connection between these two processes for IPC(inter
process
communication).
The capturing application configure pcap to
filter packets for well know port(tcp 1720). As it receives packets
from
pcap, it sends a message on the socket
connection and writes a packet to a file.
The decoding process then read a packet from
a file and decodes it and analyze relevant fields. The decoder is
based on OpenH323 ASN.1 compiler. This is
like capturing packets in real time.
Everything works fine except performance
issues. If there is a burst of packet, the capturing process (PCAP)drops
large
number of packets. Then I started comparing
my application with ethereal. Ethereal, in fact captures all packets
from the same burst without any drop.
So here are my questions:
1. My understanding is
that ethereal spawns two separate processes, one for capturing and other
for dissecting. The capturing
process write packets to a file and send
message to another process over a pipe which is used as a IPC
mechanism.
Am I correct? If not, could somebody correct
me?
2. Any recommendations on how I can model my
application like an ethereal so that it will have at least same performance
as
ethereal?
2. Any other suggestions to improve
performance?
Your help is greatly
appreciated.
Thanks
Sudhir