I wrote a ethernet sniffer in python. It basically opens a socket, sets it to promiscuous mode and then parses every incoming packet, e.g.:
import fcntl
import socket
IF = "eth0"
ETH_P_ALL = socket.htons(0x0003)
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, ETH_P_ALL)
ifr = ifreq()
ifr.ifr_ifrn = IF.encode()
# Get flags
fcntl.ioctl(s, 0x8913, ifr)
# Add promiscuous
ifr.ifr_flags |= 0x100
# Set flags
fcntl.ioctl(s, 0x8914, ifr)
while True:
pkt_raw, sa_ll = s.recvfrom(65535)
parse_packet(pkt_raw)
Alongside this, I have a measuring function which counts the number of incoming packets per second. To generate packets, I configured a switch such that it forwards all packets to the interface (port mirroring). That is, the incoming packets are not specific for this machine.
Given this setup, I can see rates of around 250 packets/sec. However, if I also run tcpdump -n -i eth0 in parallel, the rate suddenly goes up to roughly 5000 packets/sec. Interestingly, this only happens if I run tcpdump in foreground, e.g. tcpdump -n -i eth0 > foo does not change the rate of incoming packets.
Question is: what does tcpdump different when ran in foreground so that the rate of packages is much higher and how to enable this behaviour in the python sniffer?
Turns out that this is a homemade mistake. Since the sniffer is working on a server whose traffic is also mirrored, the packet rate always goes up when there is action on the terminal via SSH.