Wireshark-dev: Re: [Wireshark-dev] [Winpcap-users] RE: ring buffer

From: "Maria de Fatima Requena" <MariaF.Requena@xxxxxx>
Date: Sat, 10 May 2008 14:32:32 +0200
Title: RE: [Wireshark-dev] [Winpcap-users] RE: ring buffer

Hi,


First of all, I wouldn't play with thread priorities unless absolutely
> needed.

Agreed :)

----------->Ok, I will remove priority instructions


> Second, are you using two threads just because you expect to have
> better performance using them? If so, I would just try to remove them and
> use one single thread to dump to disk, and see what happens. The perf gain
> that you might achieve using two threads might be completely lost by the
> fact that you need to copy packets and you have synchronization to manage
> the shared queue.

----------->I used to have just one thread, the idea of using more than that is trying to avoid packet loss. And in fact, I do use some kind of synchronization as far as I have a critical section around the global queue. What I meant by saying that I didnt use any was that there are no 'Wait' instructions.

   From the synchronization point of view, you could use STM (Software
Transactional Memory) to get rid of the lock mechanisms (see glib and its
atomic operations for portable CAS operations).

----------->I am working on a windows platform. Is glib available for windows?

   From the copy point of view, I'm not seeing exactly the perf gain you
might have by dumping the packet directly to the disk i.s.o. copying in main
memory. To copy it to the disk, it is probable that the first packets would
be copied into the disk buffer before being really dumped to the disk, which
/might/ be quicker than copy it to the memory because there wouldn't be a
page fault (and is in kernel-only space). But I guess that depending on the
network bandwidth, the copy will be much slower than copying to the memory
(without speaking about raid solutions) because the disk buffer will be full
at some point. Am I missing something?

----------->First answer I got on this list about packet loss suggested me that the problem would be writings to disk being slower than NIC. That's why I have being trying to work on this. If you have any other idea about what can be the reason why my application miss packets that are caught at wireshark, please, let me know (I have ckecked sequency numbers just after packet capture callback is invoked, so it is not due to mistakes at my code, at least at this point)

 On the other hand, I have some others doubts :
- How many CPU do you have? And, as Gianluca asked you before, is your
consumer thread heavy?
I'm just asking 'cause I guess that if you have only one CPU and that the
consumer thread is resources consuming, it might be a problem. Two threads
on one processor is not really better than one monolithic process. (It is in
fact probably worst because of the synchronization used. :))

----------->I guess consumer thread is heavy as far as it needs to write files and do data base accesses. And according to CPU, I think it is 2GHz dual core. I will check it.


Regards,
Sebastien Tandel

----------->I'm thankful to all of you for taking part.