<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1250">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="State"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Gianluca<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Yes you right it is a single hyperthreaded
single core CPU and there are two forms of presentation:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Form 1: DPCs are all scheduled on the same
logical CPU and the figures are:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Total: 100%<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>CPU 0: 100%<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>CPU 1: ~0%<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Form 2: DPCs are split between CPUs:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Total: 100%<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>CPU 0: 47%<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>CPU 1: 53%<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Form 2 draws a nice symmetrical pattern in
perfmon around the 50% mark. The DPC Totals for either are reported as
50% however. I presume this is because the box has two logical processors
and so it adds up the amounts on each processor and divides it by the number of
processors.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I should have emailed the group earlier
also (sorry!!!) as we have no managed to send into this state (crashed for want
of a better word) a number of NIC cards by bombarding them with UDP data.
However all the ones we have crashed appear to have crashed around this
rollover value and are Marvell <st1:State w:st="on"><st1:place w:st="on">Yukon</st1:place></st1:State>
based chipsets. Interestingly enough we have tried some alternatives (Broadcom,
netgear, DLink, intel) which use Intel or Realtek chipsets and these *<b><span
style='font-weight:bold'>do NOT</span></b>* crash and indeed we have left the Broadcom
and intel versions running.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Additonally this morning we have setup two
PCs from scratch and *<b><span style='font-weight:bold'>not installed winpcap</span></b>*
and the results persist although instead of the crash occurring after a
determined 6/7 hrs (based on the packet rate and looking at a possible packet
count reap at 32 bits) the XP machine I tried this morning crashed twice within
1 hr, the second time it crashed was actually within about 12 minutes of
kicking the test off after reboot. That said, I have had a 2K and the
same XP machine without winpcap installed running now for over 2 hours.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy;font-weight:bold'>This
does NOT look like a winpcap issue<o:p></o:p></span></font></b></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Still I shall post the outcome
shortly. I should like to state for the record that I don’t believe
at this point this is a Marvell issue necessarily as Marvell themselves have released
updated drivers as recently as this year. The NIC manufacturer has not
however and so we are in talks with them to see if they can update their
driver. At present we have successfully shoe-horned the Marvell driver
onto our problem NIC and we are going to see if it exhibits this behaviour.
If it does we have some diagnostics from Marvell that may help us identify a
suspect counter wrap…<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Thanks to all the winpcap community and Giancula
for looking at this and I’m sorry to involve winpcap when it now appears it
cannot be anything to do with this issue. The topic may however be of
interest to anyone capturing such huge amounts of UDP data as we as a company
are.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Kind Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Ian Hawley<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Gianluca Varenni
[mailto:gianluca.varenni@cacetech.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> 08 May 2006 15:43<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">Ian
Hawley</st1:PersonName>; winpcap-team@winpcap.org; winpcap-users@winpcap.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Winpcap-team] High
CPU Use Tracked to DPC Time[Scanned]</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Ian,</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>I haven't tried to replicate the problem on my
machines, but it seems quite strange to me that the DPC time goes to 50%
(probably a HT/multicore/multiprocessor machine and 1 CPU is 100%!?!). </span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Even if there's a wrap-around bug in WinPcap, I
would expect a blue screen, no packets captured or packets completely dropped,
but not a polling at DPC level (as you seem to be experiencing). As someone
pointed out on the ddk newsgroup, it's possible that a buggy nic driver causes
this effect by not properly acknowledging an interrupt and continuously
scheduling DPCs on the system.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>In any case, I'll try to reproduce the bug on one of
my machines here.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Have a nice day</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>GV</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<blockquote style='border:none;border-left:solid black 1.5pt;padding:0cm 0cm 0cm 3.0pt;
margin-left:3.0pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>----- Original Message ----- <o:p></o:p></span></font></p>
</div>
<div style='font-color:black'>
<p class=MsoNormal style='background:#E4E4E4'><b><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial;font-weight:bold'>From:</span></font></b><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> <a
href="mailto:i.hawley@synectics.co.uk" title="i.hawley@synectics.co.uk">Ian
Hawley</a> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><b><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-weight:bold'>To:</span></font></b><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> <a
href="mailto:winpcap-team@winpcap.org" title="winpcap-team@winpcap.org">winpcap-team@winpcap.org</a>
; <a href="mailto:winpcap-users@winpcap.org" title="winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>
<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><b><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-weight:bold'>Sent:</span></font></b><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> Friday, May 05,
2006 9:27 AM<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><b><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;font-weight:bold'>Subject:</span></font></b><font size=2
face=Arial><span style='font-size:10.0pt;font-family:Arial'> [Winpcap-team]
High CPU Use Tracked to DPC Time<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hello Everyone, apologies if you receive this email twice!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The company I work for has been using winpcap for some time
now and we recently noticed an issue which we thought might be NIC related but
could of course be WinPCap related as well and I thought I’d float it by
the mailing list and see if anyone was aware of an issue.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Basically we recording MPEG2 via a UDP packet stream from
proprietary hardware and after a period of time the machine enters a state
where the CPU usage is around 50+% and 50% if that usage is spent servicing DPC
requests according to perfmon.exe. We initially felt this might be the
NIC we are using but we have since recreated this by bombarding a different NIC
with UDP data through a test application and this has presented on that NIC
also. At present I am wondering whether it is an OS issue (we are running
Windows 2000 Service Pack 4 on many boxes) but I am also concerned it might be
our IBM Boxes and of course, our capture mechanism uses WinPCap and not
Winsock.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The curious thing about this collapse of CPU is that it
appears to manifest around about the time when the host machine/application has
received 2^32 packets. Knowing the data rate we are sending to the box we
are able to predict quite accurately as to when the machine will enter this
state and it appears to suggest that some driver or piece of hardware or
windows itself is wrapping a 32bit counter and not handling the wrap correctly.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>We are presently trying various other network cards, Windows
XP and different PCs to see if we can get it to manifest but I wanted to ask
the WinPCap community if there was something that might go pop with such a
large volume of data? By accident we are using an oldish beta of WinPCap
3.0 but one of our engineers hasn’t seen any evidence that the release
version of 3.0 nor a subsequent version might fix this. We are however
going to set our test apps running on a similar box using WinPCap 3.1.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Note again that we have detached our proprietary hardware
from the PC and managed to generate the problem without using that hardware so
we are very confident that this has nothing to do with the issue. The
curious thing is that once the CPU has jumped into this state it does not
matter whether the data continues to be fed to the NIC; if you stop the
application that is bombarding the NIC with data, the CPU continues to be
stoically at the 50% mark. Curiously the number DPCs queued/second
appears to drop from what appears normal at circa 2000/second to around
40/second (this is while data is going into it, I have no metrics for when
there is no data atm). As strange is that if you unplug the NIC cable,
then the CPU drops back to ostensibly zero and the PC is happy again.
Plug the cable back in however and the CPU shoots back to 50%. Unplug the
cable from the PC and plug it into a hub with <i><span style='font-style:italic'>nothing
else attached </span></i>and it is still at 50%.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I would like to emphasize that the position we are in
presently means that we do not know if it is the IBM PCs we are using, the 3COM
NIC, some BIOS setting, the Operating System (Old systems are running 2K and we
are trying to see if it presents on XP) or some setting we have incorrect
somewhere, as unlikely as that might seem. I am not saying it is
definitely a WinPCap issue, but it would be very interesting if any of the
winpcap team could think if a way that it <i><span style='font-style:italic'>might</span></i>
be.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any help would be greatly appreciated.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Kind Regards<o:p></o:p></span></font></p>
<p class=MsoNormal><st1:PersonName w:st="on"><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Ian Hawley</span></font></st1:PersonName><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'>--<br>
No virus found in this outgoing message.<br>
Checked by AVG Free Edition.<br>
Version: 7.1.392 / Virus Database: 268.5.4/332 - Release Date: 04/05/2006</span></font><o:p></o:p></p>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>_______________________________________________<br>
Winpcap-team mailing list<br>
Winpcap-team@winpcap.org<br>
https://www.winpcap.org/mailman/listinfo/winpcap-team<o:p></o:p></span></font></p>
</blockquote>
</div>
</body>
</html>
<BR>
<P><FONT SIZE=2>--<BR>
No virus found in this incoming message.<BR>
Checked by AVG Free Edition.<BR>
Version: 7.1.392 / Virus Database: 268.5.5/333 - Release Date: 05/05/2006<BR>
</FONT> </P><BR>
<P><FONT SIZE=2>--<BR>
No virus found in this outgoing message.<BR>
Checked by AVG Free Edition.<BR>
Version: 7.1.392 / Virus Database: 268.5.5/333 - Release Date: 05/05/2006<BR>
</FONT> </P>