cnetwork-programminglibpcappacket-capturenetwork-traffic

tcpdump is buffering incoming packets and storing into pcap file


I have two VM connected to each other with 10G NIC card, now on one vm i am playing packets from the pcap file using libpcap in continuous stream, on other end of vm i am using tcpdump to capture the incoming packets, the packets interval is not constant, but looks to be buffering to amount of incoming packets and then appending the timestamp then, writing to pcap file

input: 16 packets continuous stream output expected: 16 packets with packet interval constantly increasing

tcpdump command used:

sudo tcpdump -i eth0 --immediate-mode -w tcp_replay_capture_timestamp1.pcap --time-stamp-precision nano

reality: after like 5-6 incoming packets the packets are written to pcap file with lesser timestamp interval enter image description here


Solution

  • reality: after like 5-6 incoming packets the packets are written to pcap file with lesser timestamp interval

    There are multiple buffers involved.

    One is the buffer in the packet capture mechanism; as this is probably Linux (as per the device name "eth0"), --immediate-mode should prevent packets from being buffered and delivered in batches with a timeout.

    The other is the buffering done by the standard I/O library mechanisms. Tcpdump uses libpcap to write the capture file, and libpcap uses the standard I/O library routine fwrite() to write to a stream opened with fopen(), and that mechanism buffers data, writing it to the capture file (with a write() call) when the standard I/O buffer (which is probably, at minimum, somewhere between 1KB and 4KB in size, and perhaps larger).

    To cause tcpdump to flush that buffer for every packet, so that the data appears in the file as soon as a packet arrives, use the -U flag. If tcpdump is new enough to support that flag, and if libpcap is new enough to support flushing the buffer, then that should cause packets to be written to the file as soon as they arrive.