Re: using sniffer on high-bandwidth pipes

[JP Velders <jpv () veldersjes net>]

> Date: Fri, 3 Dec 2004 10:47:08 -0500 (EST)
> From: todd romero <todd () routeflap net>
> To: nanog () nanog org
> Subject: using sniffer on high-bandwidth pipes

> does anyone have expirience using a sniffer on a hi-capacity network
> segment, that might know if there are limitations I need to worry about?

> example: customers doing EMC database replication across a mpls link, and
> when the capacity reaches aprox. 250 Mbp/s packets are arriving out of
> sequence etc.  So we need to put sniffers on both sides to capture some
> data to see whats happeneing when the capacity reaches 250mbps.

Well, there was a nice presentation at SANE 2004 about using Linux
with some tweaks... It also compared it model and performance wise
with the features available under FreeBSD (4.x IIRC):
http://www.nluug.nl/events/sane2004/abstracts/ab.html?id=100

Luca is the man behind NTOP:
http://www.ntop.org/

Luca showed that moderate hardware is capable of handling Gb/s speeds
at above 90% capture rate if you use the right combination of logic
and tools (PF_Ring). In his case a moderate P3 and I believe somewhere
upwards of 600Mbps... The goal was mainly to reduce the load of the
CPU to allow the machine to actually process the packets it has
captured ;)

The ntop website has some papers:
http://www.ntop.org/documentation.html

> tia,
> tr

Kind Regards,
JP Velders