Hello Jacob,
If you have a dual processor machine you can spread the
load across both cpu by doing: (tcpdump used in example)
# tcpdump -i $ifName -w - -s $snapLen $filterCode | tcpdump -r -w $file
This binds 1 CPU to do the expensive kernel to user space copy and 1
processor to do the decode/write to disk. I came up with this method a few
years back and found it works well on multiprocessor servers.
Also try writing the data to a ramdisk and get even better preformance.
Use the tmpfs method on Linux. Use a 2.6 kernel also.
Get the capture size to an absolute minimum you need. This affects
performance considerably.
Finally look at some of the ring buffer techniques for libpcap that are
becoming more popular. This is the final step. PF_RING etc.
Our commercial application NetContExt cannot drop any packets in order to
reconstruct data images and files stored in the payload, I know where your
coming from! Its a tough task. You will find most SPANs / mirror ports also
drop a lot of traffic.
Hope this helps .. Joe.
--
__o _~o __o
`\<, `\<, `\<,
______________________________________(*)/_(*)__(*)/_(*)__(*)/_(*)________
Im a 21st Century Digital Boy ... I aint got a life, but I got lotsa toys.
*************** Joe Elliott joe@xxxxxxxxx AOL:xqos ********************
- NetContExt - sniffer trace forensics - tcp follow stream analysis -
- Extract data files and Images from tcpdump & ethereal packet payloads -
Inetd.Com Network analysis solutions http://www.inetd.com
--------------------------------------------------------------------------
On Tue, 18 Oct 2005, Jacobs, Michael wrote:
> Date: Tue, 18 Oct 2005 16:09:59 -0500
> From: "Jacobs, Michael" <Michael.Jacobs@xxxxxxxxxxx>
> Reply-To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] tethereal performance questions
>
> I am using tethereal to capture SIP and RTP traffic to a Session Border
> Controller. I have
>
> two Fedora Core 2 machines I use to perform captures. Both are dual Xeon
> 2.6 Mhz, with
>
> 2 Ethernet interfaces (Gigabit) and are connected to a 3750 Cisco
> Switch.
>
>
>
> When running at approximately 40 MB and capturing 500,000 packets I see
> where there is
>
> a large amount of packets dropped from either machine:
>
>
>
> [root@wigeon mjacobs]# tethereal -i eth1 -q -c 500000 -w junk.eth
>
> Capturing on eth1
>
> 184279 packets dropped
>
> 500000 packets captured
>
>
>
> The CPU is running approximately 20% and I do not show memory swapping
> or high i/o wait.
>
>
>
> Below is the version of tethereal I have installed (from source):
>
>
>
> tethereal -v
>
> tethereal 0.10.6
>
> Compiled with GLib 2.4.0, with libpcap 0.8.3, with libz 1.2.1.1,
>
> with libpcre 5.0, without UCD-SNMP or Net-SNMP, without ADNS.
>
> Running with libpcap version 0.8.3 on Linux 2.6.8-1.521smp.
>
>
>
> Should I expect better performance than this? If so, could someone point
> me in a direction
>
> to go to tweak my machines. Searched boards I found some notes a couple
> of years
>
> ago talking about changes to the linux kernel and some patches, but
> nothing specific. I have
>
> never dealt with any of that before, but since I work in a test lab,
> trying out these types
>
> of things is not a problem and how I learn.
>
>
>
> Thanks,
>
>
>
> Mike
>
>