On Wed, Dec 12, 2012 at 2:33 PM, John Powell <
jrp999@xxxxxxxxx> wrote:
> Hi Everyone,
>
> I am using DUMPCAP to capture packets in a high packet rate environment.
>
> My operating system is: CENTOS 6.3
>
> I am experience this problem on source compiled versions: wireshark-1.6.12
> and wireshark-1.8.4.
>
> In order to allow DUMPCAP to be run as a NON-ROOT user I am using the
> following:
>
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap -v
>
> The issue is that I am experiencing packet loss to apparent disk contention
> when writing the packets to the disk - see attached file:
> packet-loss-atop.txt
>
> To help alleviate the problem I have tried the following:
>
> Disabled SELINUX
> Disabled AUDIT
> RAID 0 (striped disks) to load share the writing out of the data
>
> ARRAY /dev/md2 level=raid0 num-devices=2
> devices=/dev/sda4,/dev/sdb4
>
> Turn off journals on ext4
>
> tune2fs -o journal_data_writeback /dev/md2
> tune2fs -O ^has_journal /dev/md2
> change fstab to:
>
> UUID=.. /data ext4 defaults,data="" 0 0
>
> Use -B option on Dumpcap to buffer the data
>
> root /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not
> udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b
> duration:900 -w /data/eth1.cap
>
> These changes have increased the throughput but I still experience packet
> loss - see attached IO Graph: packet-loss-io-graph.jpg
>
> The Vendor solutions we have looked at will not decode UNISTIM signalling
> properly which is requirement for this tool.
>
> Any suggestions on how to better configure either the operating system or
> wireshark to increase packet capture throughput will be greatly appreciated.
>
> Thanks in advance for your assistance.
>
> -John
>