Hello Jacob,
My pipe example with tcpdump does not work with tethereal as the -r
switch to read a file does not handle STDIN. It works fine with tcpdump.
Can the developers put the '-r -' functionality in?
For now, I suggest you use tcpdump to collect packets. You can always
read the saved pcap packet file with ethereal later.
So to collect web traffic on Linux with this method you would use:
# mount -t tmpfs -o size=256M tmpfs /ramdisk
# tcpdump -i eth0 -w - -s 90 tcp port 80 | tcpdump -r - -w /ramdisk/file.pcap
Then later read file.pcap with ethereal.
Its interesting to watch 'top' on a heavily loaded machine with this method
and see how the OS balanced the load of each component.
Its the interrupts that kill you, not the OS load.
Joe.
--
__o _~o __o
"Know your Network" `\<, `\<, `\<,
______________________________________(*)/_(*)__(*)/_(*)__(*)/_(*)________
Im a 21st Century Digital Boy ... I aint got a life, but I got lotsa toys.
*************** Joe Elliott joe@xxxxxxxxx AOL:xqos ********************
- NetContExt - sniffer trace forensics - tcp follow stream analysis -
- Extract data files and Images from tcpdump & ethereal packet payloads -
Inetd.Com Network analysis solutions http://www.inetd.com
--------------------------------------------------------------------------
On Tue, 18 Oct 2005, Joe Elliott wrote:
> Date: Tue, 18 Oct 2005 14:26:42 -0700 (PDT)
> From: Joe Elliott <joe@xxxxxxxxx>
> Reply-To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
> Subject: Re: [Ethereal-users] tethereal performance questions
>
> Hello Jacob,
> If you have a dual processor machine you can spread the
> load across both cpu by doing: (tcpdump used in example)
>
> # tcpdump -i $ifName -w - -s $snapLen $filterCode | tcpdump -r -w $file
>
> This binds 1 CPU to do the expensive kernel to user space copy and 1
> processor to do the decode/write to disk. I came up with this method a few
> years back and found it works well on multiprocessor servers.
>
> Also try writing the data to a ramdisk and get even better preformance.
> Use the tmpfs method on Linux. Use a 2.6 kernel also.
>
> Get the capture size to an absolute minimum you need. This affects
> performance considerably.
>
> Finally look at some of the ring buffer techniques for libpcap that are
> becoming more popular. This is the final step. PF_RING etc.
>
> Our commercial application NetContExt cannot drop any packets in order to
> reconstruct data images and files stored in the payload, I know where your
> coming from! Its a tough task. You will find most SPANs / mirror ports also
> drop a lot of traffic.
>
> Hope this helps .. Joe.
>
>