Nan Xiao's Blog | A system software / performance engineer's home

Use tshark to filter HTTP streams

Below is a screen shot of HTTP flows: GET request spans packet 4 and 5, while response is packet 9:

To filter HTTP stream, if use -Y http only:

$ tshark -nr tcp.pcap -Y http -w http.pcap

Only the last segment of GET request will be saved to file:

So -2 option is needed:

$ tshark -nr tcp.pcap -Y http -2 -w http.pcap

This time, the full GET request is saved:

unw_get_proc_name() can be a performance bottleneck

In previous post, I mentioned using libunwind to debug memory leak issue. Recently, when I revisited the demo program, I found unw_get_proc_name() can be a performance bottleneck. Below is a report from perf:

So if possible, you can consider post-processing the address to symbol name.

An issue related to uninitialised memory

Today I met an interesting bug: A C program behaved differently between debug (gcc -O0) and release (gcc -O3) modes.

First of all, I compared the logs between two modes, and pinned down in which function, the logs began to diverge.

Secondly, I used gdb to debug two programs simultaneously, and checked the variables’ values, then found a variable which had disparate values that would cause two programs enter different branches in a if-else statement. Hmm, this was the root cause.

My gut feeling was the release mode program may fetch the staled value, but after reviewing code carefully, I found the reason is one block memory (the variable belonged to) allocated from heap was not initialised, so this will introduce notorious “undefined behaviour”.

As far as I know, the reasons for uninitialising variables:
(1) The programmer forgets;
(2) The programmer reckons the variable will be assigned correct value before use, and there may be performance penalty for initialising a block of memory.
Anyway, the lesson I learnt today is unless you are 100% sure it will be OK to uninitialise the specified variable, otherwise please initialise it, and this can save you several hours in the future.

Use DTrace on OmniOS

Using DTrace on OmniOS is not straightforward:

$ pfexec dtrace -n 'syscall:::'
dtrace: failed to initialize dtrace: DTrace device not available on system

Need to install both dtrace and dtrace/providers packages:

$ pfexec pkg install dtrace dtrace/providers

Now the DTrace module is loaded:

$ modinfo | grep dtrace
  5 fffffffff8243000  1af28 280   1  dtrace (Dynamic Tracing)

Then it will work!

P.S., Thanks for Andy Fiddaman‘s help!

Process pcapng file with multiple interfaces

When processing pcapng file which have multiple interfaces, you may meet following errors:

pcap_next_ex() [an interface has a snapshot length 262144 different from the type of the first interface]

Then capinfos shows you there are multiple interfaces with different capture lengths:

$ capinfos test.pcapng
File name:           test.pcapng
File type:           Wireshark/... - pcapng
......
Number of interfaces in file: 2
Interface #0 info:
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 1600
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Number of stat entries = 0
                     Number of packets = 2474
Interface #1 info:
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 262144
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Number of stat entries = 0
                     Number of packets = 13

One solution is to convert the pcapng to pcap file, then libpcap can process it:

tshark -F pcap -r test.pcapng -w test.pcap