Highly unlinkely.
You answered your own question. All types in the struct should be fixed size
and time_t will change soon to be 64 bits.
In the time_t branch it already uses nanoseconds. Plus why you would want to
stick with micros in the new interface?
fixed sizes. Most on wire structures use fixed sizes. this allows portability
across different architectures.
It does not happen in real situations.


christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

2^32 1500-bytes packets is about 6TB of data, on 100Mbit link, the
sequence number will wrap after 5.6 days (if you consider
uni-directional traffic), on a 1Gb link, half a day and a bit more
than 1 hour on a 10Gb link. This is the worst case scenario. Two
records taken at the <wrap_time> interval will likely collide on
high-load link.
This is not the problem here.

The ABI breakage will anyway cause a problem with all system call
taking a `struct timespec' as a parameter or including a `struct
timespec' in one of their parameter.
The patch I commented used a micro value to get a nano value. I don't
see your point. I don't get the link between Darren's patch and the
time_t branch either.
the current BPF don't... It use a `struct timeval' whose tv_sec and
tv_usec are `long' which is not portable across architecture (i386's
long == 4, amd64's long == 8).
I'm not no so sure about this, cf above.

btw, why is the current `struct bpf_hdr' not packed ? this would avoid
the SIZEOF_BPF_HDR hack...

- Arnaud

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Notification about when packets are dropped, an indication of
whether or not the packet was going in or out... there are
additional characteristics, such as if the packet was an "error"
(i.e. bad ethernet CRC, runt, etc) but it appears BPF doesn't
see those anyway. Being able to easily find the start of the
packet, being told the complete size of the current record...
If you're sufficiently interested then I'm sure you can extract the
part that concerns you... but honestly, the code changes to BPF are
trivial. What's really important is what I included and what you've
commented on.

Simple use case? Say you've got a bridge port on your NetBSD box and
you capture packets on it. How do you know which packets were going
to boxes that are connected out that wire vs some other bridge port?
i.e. if you used tcpdump today, you've got a bunch of packets that
show a conversation between two hosts. How do you know from the
capture which packets were sent out the NIC vs which were received?

Say you've got two raw capture files from different interfaces that
have different media types. How do you merge them into one for easier
analysis? (Current pcap files encode the link type in the file header,
thus implying every packet has the same MAC type.)
So while the program was sleeping, 4 billion packets went through.
Well, I suppose that's only an hour or so of sleeping with line
rate on a 10G card. I think there's a chance that a sequence number
wrap will be noticed in those conditions.... not to mention that
grabbing the BPF statistics would show a very very large delta in
bs_drop. But left long enough on a fast NIC, even that will wrap.
I'd use "time_t" here but I don't want to risk that being
mistake for a 32bit value. uint64_t allows me to be specific
about the size of the field. Why unsigned? Because unsigned
containers never influence the value that gets put in them.
Lets see... with a 10GB port, what do you think the spacing
is between packets when they're arriving at a rate of 10,000,000
per second? Finer than microsecond granularity can provide.
I don't know what the current line speed tests of NetBSD are
with 10G cards, but at Sun I've seen boxes forwarding at
greater than 50% of 10G line speed (>5,000,000 pps.)

The point of defining the field in this manner is to make it
easily possible for future code changes to take advantage of
the extra precision available.
I'm just trying to leverage off of existing code and make the
minimal amount of changes necessary to support a new format.

But by defining a new time format to use nano-seconds rather
than microseconds, I make the change you've described possible.

For example, I don't know if nanotime() is designed to be called
1 million or more times a second... it may be the wrong thing to
use when it becomes necessary to deal with packets at that speed.
Even now, microtime isn't that fine-grained (it's rather chunky),
so I'm not trying to pretend that nano-second precision is
possible with the existing APIs but at the same time, if a change
is to be made then it needs to look forward and that means using
nanoseonds here.
Because I don't want there to be any vagueness about the size of
the field to store seconds in.

For example, even -current on i386 defines time_t (which timespec
uses) as being a "long", so it would be 32bits. Again, if change
is to be made then we need to apply some amount of future-proofing.

I suppose that we could define it in terms of picoseconds if you
feel that nanoseconds is not enough and make it a 64bit field too?
That's up to the consumer to decide. Whatever size field is used,
there's always going to be a "wrap problem", no matter what sort
of counter or wrap-counting counter is used.

I could almost be convinced to make this a 64bit counter but the
counter it pulls information from (bh_ccount) is only 32bits on
some platforms (its a long in bpfdesc.h) so it's possibly a waste
of bits, anyway. Then again, maybe bh_{c,d,r}count should all be
forcibly bumped to 64bits and then this also...
This field isn't there for sequencing, it's to provide the
consumer of the BPF data with knowledge about whether or not
there has been a dropped packet in the black of data received.
How do you know if something is black?

If EBPF_OUT isn't set to indicate out, doesn't that
then imply that the packet is an "input" packet?

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It could mean "don't know" or "don't care". It is the sort of
thing that deserves to be spelled out in documentation.

Dave

Interesting but I think that's outside the scope of what I'm
trying to do here and now. Additionally, if there were possible,
we'd need to think about if/how that is exposed to the user
and how to interpret a user saying "tap tx dma set up packets
for loopback" (because they'll try to use the same CLI/filter
for loopback as they did the bge chip...)

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I wasn't proposing an interface to control tap location, just flag bits
to record what happened. I once added support to ath(4) to do the
tapping on tx complete so it could include more status.
But I see the point that one has to stop somewhere.

I wonder if what you're looking for is something more akin to
what dtrace allows? bpf's purpose is primarily packet data and
not so much NIC status, etc. A dtrace-like solution would let
you tap packets as they move along, in and out of packets and
at specific "probe" points. I say that because it sounds like
you are just as (if not more) interested in non-packet data
and for that, I think BPF is not really the right answer...

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

No, I am really looking for packet data, but perhaps packet metadata a
la DLT_IEEE802_11_RADIO. As a first step, I want the data source
labeled, so I can know if I have queueing delays or not. The point of
tapping at tx complete is that you can find out how many retries were
used and what the actual rate for that packet was (sometimes an 802.11
interface will drop back to 1 Mb/s after failing to get an ack at the
chosen rate), or if no ack was received. I wanted this data to compute
the ETX metric

http://pdos.csail.mit.edu/papers/grid:mobicom03/paper.pdf
http://pdos.csail.mit.edu/decouto/abstract.html

which is otherwise a bit hard to get. I was relatively unconcerned
about processing overhead and how the software was functioning etc. In
my case I added a new 'tracerecord' DLT that had a metadata record for
each packet with the at-tx-complete stats.

That sounds like a very specialised piece of instrumentation,
which BPF (as a generic packet capture feature) isn't really
well suited to be (I think.)

*but* I do think dtrace would help here... for example, you can
measure the time between a packet entering ip_output and it being
free'd or entering the send routine for a NIC lower down.

I can't see anything in your description that would preclude a
tool like dtrace from being used...

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It would be very nice to be able to annotate where the tap was.
I've often shoved data into the bpf system from unusual places as a
debug feature....
Darren> I wonder if what you're looking for is something more akin
Darren> to what dtrace allows? bpf's purpose is primarily packet
Darren> data and not so much NIC status, etc. A dtrace-like solution
Darren> would let you tap packets as they move along, in and out of
Darren> packets and at specific "probe" points. I say that because
Darren> it sounds like you are just as (if not more) interested in
Darren> non-packet data and for that, I think BPF is not really the
Darren> right answer...

uhm. yeah, dtrace-ish, but really, that's too programmer oriented I
think, even if under the hood that's the right implementation.
--
] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] ***@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de