tcpdump mailing list archives
Re: Looking for advice to improve performance
From: George Bakos <gbakos () ists dartmouth edu>
Date: Thu, 8 Jan 2004 00:19:23 -0500
The "xxx packets dropped by kernel" message you are seeing indicates that there is a critical path bottleneck, likely in the storage channel. A few questions: What type of link are you trying to monitor? What is the hardware platform? CPU type & speed? What interface/driver/version are you using? What is the storage medium? Local? Network? Array? Single disk? What is the tcpdump commandline & filter being used? Is the sensor system being asked to do anything else besides sniff & serve sshd? Here are a few simple guidelines that may help: - Simple is better. Minimize the filter used on the sensor & limit the snaplen for your broad capture. - Faster is better. Locally attached disks are much faster than network attached storage. If you are using an array, be sure it has plenty of RAM available for buffered writes. - Lighter is better. Minimize the load on the sniffer. Redhat likes prety stuff; get rid of it. If you MUST run a GUI, use a lightweight one, and no xscreensaver, for cryin' out loud. Best bet is to boot to runlevel 3 (non-graphical mode) before putting it into production. When sniffing at peak network load, what is the cpu utilization? Use the "top" utility to view running processes, memory usage & CPU states. - Wide awake is better. Ensure there are no power management options turned on in the BIOS or kernel. You don't want your disks spinning down during quiet times, only to drop packets when that attack comes down the pipe at 3am. g On Wed, 7 Jan 2004 16:10:49 -0600 "Price, Jason" <Jason.Price () thomson com> wrote:
I am trying to use tcpdump in conjunction with Shadow (on RedHat Advanced Server 3) to log all data coming into our organization. This is a very high volume of data, and tcpdump seems unable to handle it. Currently, about 40% of incoming packets are being dropped by the kernel. What are my options for improving the throughput of tcpdump? I'm relatively new to the linux world, so be gentle... :) Jason - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
-- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Looking for advice to improve performance Price, Jason (Jan 07)
- Re: Looking for advice to improve performance George Bakos (Jan 07)
- <Possible follow-ups>
- RE: Looking for advice to improve performance Price, Jason (Jan 08)
- Re: Looking for advice to improve performance Edin Dizdarevic (Jan 08)