There is a patch for linux that makes libpcap faster by reducing the number
of copies of the packet that is necessary.
I cant find it right now but some googling should find it.
When you run tethereal or tcpdump to capture the data use nice to elevate
its priority.
Better, if using Linux, make tethereal/tcpdump a realtime process and give
it the highest possible priority.
Make sure to stop all unnecessary processes and deamons that might chew up
some cpu and memory.
Important, make sure the disk subsystem is fast.
Get as many of the fastest ide controllers you can get. Get 8 fast ide
disks. Try to distribute the disks as good as possible across the
controllers.
These disks are for capturing ONLY. Install linux and all the software on a
separate dedicated disk.
make sure the higest meanest dma mode the disks/controllers can take is
activated using hdparm
create a tripe volume across 8 ide disks. You may find that the software
striping in linux is faster than what a ide hw raid card.
Test capturing to the raw striped volume.
Test putting a filesystem on the stripe volume and test.
Get as fast CPU and as much memory as possible.
----- Original Message -----
From: "Martin Heroux"
Sent: Thursday, November 20, 2003 7:58 AM
Subject: [Ethereal-users] tcpdump vs ethereal
> I am experiencing some proof of concept of using ethereal to replace our
> distributed sniffer and I see some differences between the traces.
> It would runs on gigabits links, on a RH-9 with 1GB Ram on with altheon
> gigabit cards on optic fiber (SX)
> We are spanning ports using Cisco 6509
>
> I have 2 interfaces in my proof of concept box, one to sniff and one to
> access it... I am accessing it through eth1 and sniffing with eth0
> eth0 is promiscous and have no IP address...
>
> Here's some quick numbers from a quick trace :-)
>
> Distributed sniffer: 2844520 packets captures, no drop
> tcpdump: 2842639 packets captures, some drop (1881)
> tcpdump -w /dev/null -i eth0
>
> But doing it with ethereal gives
> 2830298 packets captures, some drop (14222)
>
> So I turned the swap off and did the same test (swapoff -a)... no program
> in swap should increase the performance due to page swaping time...
> Distributed sniffer: 3025830 packets captures, no drop
> tcpdump: 3013675 packets captures, (1105 drops)
> ethereal: 2984633 packets captures, (30147 drops)
>
> The switch reports no errors on the ports
> The interface on which I sniff reports no error or dropped
>
> The ethereal -v issue the following
> ethereal 0.9.16
> Compiled with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.7.2,
> with libz 1.1.4, with Net-SNMP 5.0.6, without ADNS
> Running with libpcap (version unknown) on Linux 2.4.20-6
>
> As of libpcap rpm -qa | grep libpcap returns the following
> libpcap-0.7.2-1
>
> Now, here are my questions:
> 1- why does tcpdump don't get the same amount of packets as a regular
> sniffer (Dolch for instance) I am using one of the best gigabit card on
the
> market I should get the same result. BTW the altheon card can be driven to
> wire speed, I saw it on an Auspex.
> 2- why does ethereal which uses tcpdump don't read the same amount of
> packets ?
> 3- is there a any work around ?
> 4- Any other way than tcpdump (libpcap) to sniff and get no or less packet
> drops, with ethereal ?
>
> Any help will be appreciated
>
> M.H.
>
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users