Ethereal-users: Re: [Ethereal-users] tcpdump vs ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Martin Heroux" <mheroux@xxxxxxx>
Date: Thu, 20 Nov 2003 15:59:43 -0500
One thing I did which works well, is that I created a RAM disk of 500MB
which I mount under /tmp
So ethereal capture and write it in RAM... I have 1GB of RAM so I can
affort a 500MB ramdisk

The amount of packet drops dropped, but still not 0

I don't think that we could do an home made sniffer that competes Dolch or
the like mainly because (that's what I have been said) they capture
directly on board and then slowly and quietly download their buffer to an
hard drive.

The way we are doing it, the packet needs to go through a couple of layers
before being written on the disk, it is not right tru.

However what I am surprised is that modern SCSI drive turning at 7500 RPM
are quite faster than 1Gbps card isnt ? So why does the storage unit can be
a bottleneck ?

Still, I don't think a 100K sniffer solution (NAI high-end distributed
sniffer solution for example) worth its price... I, for one, can live with
a 0.05% percent of packet loss :-)



|---------+----------------------------------->
|         |           "Ronnie Sahlberg"       |
|         |           <ronnie_sahlberg@ozemail|
|         |           .com.au>                |
|         |           Sent by:                |
|         |           ethereal-users-bounces@e|
|         |           thereal.com             |
|         |                                   |
|         |                                   |
|         |           11/20/2003 03:07 PM     |
|         |                                   |
|---------+----------------------------------->
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                                  |
  |        To:      "Ian Schorr" <spamcontrol2@xxxxxxxxxxx>, "darren" <teodarren@xxxxxxxxxxxxx>                                                      |
  |        cc:      ethereal-users@xxxxxxxxxxxx                                                                                                      |
  |        Subject: Re: [Ethereal-users] tcpdump vs ethereal                                                                                         |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




While a high end storage system would be fast, there are some not
completely
insignificant problem
with that approach;
   it would make a sniffer with VERY good and incredibly fast disk access
yes  but it would also make a
       VERY expensive sniffer.
   it would make it "difficult" to transport the sniffer if you want to
move
it to a different location, say to that other building.
       having to wait for the guy with the forklift to arrive everytime you
want to move the sniffer would reduce the usability of the sniffer.
:-)


Do not underestimate the throughput available on cheap IDE disks.
Cheap yes,  random access will be crap on IDE disks, reliability is crap.
But,  even cheap IDE disks are incredibly fast for 100% sequential access.

Performing a 100% pure sequential write to an IDE disk or a striped set of
IDE disks
IS fast. VERY fast.

Writing libpcap files is purely sequential access. Especially if bypassing
the filesystems and writing straight to the raw device.


----- Original Message -----
From: "Ian Schorr"
Sent: Friday, November 21, 2003 4:42 AM
Subject: Re: [Ethereal-users] tcpdump vs ethereal


> Disk speed is certainly a potential bottleneck when capturing with
Ethereal.
>
> Why would you think that using a NAS solution (which would cause you to
> start making NFS or CIFS calls adding quite a bit of additional overhead
> as well as possibly being particularly subject to network latency when
> performing write I/Os (particularly with Samba/CIFS)) would be faster
> than writing to a local (or dirct-attached) disk/disk array, no matter
> how expensive the NAS box you use is?
>
> Now, getting a Fibre Channel HBA and connecting to EMC DAS or SAN
> storage might be a different story...
>
> I doubt getting a solution using Ethereal/tcpdump to capture at the same
> rates as Infinistream would be as simple as throwing an expensive disk
> array at the box, but I do think that a fast disk subsystem is crucial
> to performing near-gigabit rate capture to disk.
>
> Ian
>
> darren wrote:
>
> >Hi,
> >
> >Can the problem with the dropped frames be due to poor storage
performance?
> >
> >I was wondering if one can achieve what NAI's Infinistream does by
coupling
> >a nice server pc (2 x Xeons 3GHz with 4 GB ram) with a NetApp or EMC NAS
> >solution for better I/O performance. Infinistream is afterall using only
a
> >RAID5 config.
> >
> >Any comments?
> >
> >-----Original Message-----
> >From: ethereal-users-bounces@xxxxxxxxxxxx
> >[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Martin Heroux
> >Sent: Thursday, November 20, 2003 4:58 AM
> >To: ethereal-users@xxxxxxxxxxxx
> >Subject: [Ethereal-users] tcpdump vs ethereal
> >
> >I am experiencing some proof of concept of using ethereal to replace our
> >distributed sniffer and I see some differences between the traces.
> >It would runs on gigabits links, on a RH-9 with 1GB Ram on with altheon
> >gigabit cards on optic fiber (SX)
> >We are spanning ports using Cisco 6509
> >
> >I have 2 interfaces in my proof of concept box, one to sniff and one to
> >access it... I am accessing it through eth1 and sniffing with eth0
> >eth0 is promiscous and have no IP address...
> >
> >Here's some quick numbers from a quick trace :-)
> >
> >Distributed sniffer: 2844520 packets captures, no drop
> >tcpdump: 2842639 packets captures, some drop (1881)
> >tcpdump -w /dev/null -i eth0
> >
> >But doing it with ethereal gives
> >2830298 packets captures, some drop (14222)
> >
> >So I turned the swap off and did the same test (swapoff -a)... no
program
> >in swap should increase the performance due to page swaping time...
> >Distributed sniffer: 3025830 packets captures, no drop
> >tcpdump: 3013675 packets captures, (1105 drops)
> >ethereal: 2984633 packets captures, (30147 drops)
> >
> >The switch reports no errors on the ports
> >The interface on which I sniff reports no error or dropped
> >
> >The ethereal -v issue the following
> >ethereal 0.9.16
> >Compiled with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.7.2,
> >with libz 1.1.4, with Net-SNMP 5.0.6, without ADNS
> >Running with libpcap (version unknown) on Linux 2.4.20-6
> >
> >As of libpcap rpm -qa | grep libpcap returns the following
> >libpcap-0.7.2-1
> >
> >Now, here are my questions:
> >1- why does tcpdump don't get the same amount of packets as a regular
> >sniffer (Dolch for instance) I am using one of the best gigabit card on
the
> >market I should get the same result. BTW the altheon card can be driven
to
> >wire speed, I saw it on an Auspex.
> >2- why does ethereal which uses tcpdump don't read the same amount of
> >packets ?
> >3- is there a any work around ?
> >4- Any other way than tcpdump (libpcap) to sniff and get no or less
packet
> >drops, with ethereal ?
> >
> >Any help will be appreciated
> >
> >M.H.
> >
> >
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users