Is network speed/performance affected by libpcap based application?

Question

I am using the libpcap library to monitor HTTP requests and responses. I am also storing the 10 most recent GET requests in memory based on string search and a few responses. Suppose the monitor is on and I am downloading a file, will it affect my download speed or is it, a copy of packet is passed on to libpcap without affecting the traffic?

Previously, i was doing same using iptables + libnetfilter_queue. My libnetfilter_queue based module was bit slow in analysing the packets as many string searches and related operations were done on every outgoing packet, and few incoming packets. It affected by download speed, suppose downloading a file using a download accelerator. When the module was running my download speeds were less in comparison to when it wasn't running. Possible because all the packets were passed to my netfilter_queue module and then to other user applications. Will i face the same problem with libpcap. I heard it uses some zero-copy mechanism.

Answer 1

A copy of the packet is passed to the PF_PACKET socket (I'm inferring from "libnetfilter" that you're using Linux), so it's not processed in the same code path that processes it as regular network input.

Newer versions of libpcap (1.0 and later) pass those packets to userland through shared memory, which is the "zero-copy" mechanism.

However, there's still processing being done for each packet, so there will be some slowdown unless your machine has idle processor cores and spare memory bandwidth (and disk bandwidth if your program is writing significant amounts of data to the file system). It won't directly increase packet processing latency, as it's not in the code path the way your netfilter-based mechanism was, so it probably won't impact networking performance as much.

Answer 2

It will be a copy of packet is passed on to libpcap without affecting the traffic.