tcpdump mailing list archives

Re: Looking for advice to improve performance

From: George Bakos <gbakos () ists dartmouth edu>
Date: Thu, 8 Jan 2004 00:19:23 -0500

The "xxx packets dropped by kernel" message you are seeing indicates that
there is a critical path bottleneck, likely in the storage channel.

A few questions: 
What type of link are you trying to monitor?
What is the hardware platform? CPU type & speed? 
What interface/driver/version are you using? 
What is the storage medium? Local? Network? Array? Single disk?
What is the tcpdump commandline & filter being used? 
Is the sensor system being asked to do anything else besides sniff & serve
sshd?

Here are a few simple guidelines that may help:

 - Simple is better. Minimize the filter used on the sensor & limit the
snaplen for your broad capture. 

 - Faster is better. Locally attached disks are much faster than network
attached storage. If you are using an array, be sure it has plenty of RAM
available for buffered writes. 

 - Lighter is better. Minimize the load on the sniffer. Redhat likes prety
stuff; get rid of it. If you MUST run a GUI, use a lightweight one, and no
xscreensaver, for cryin' out loud. Best bet is to boot to runlevel 3
(non-graphical mode) before putting it into production. When sniffing at
peak network load, what is the cpu utilization? Use the "top" utility to
view running processes, memory usage & CPU states.

 - Wide awake is better. Ensure there are no power management options
turned on in the BIOS or kernel. You don't want your disks spinning down
during quiet times, only to drop packets when that attack comes down the
pipe at 3am.

g

On Wed, 7 Jan 2004 16:10:49 -0600 
"Price, Jason" <Jason.Price () thomson com> wrote:

I am trying to use tcpdump in conjunction with Shadow (on RedHat Advanced
Server 3) to log all data coming into our organization.  This is a very high
volume of data, and tcpdump seems unable to handle it.  Currently, about 40%
of incoming packets are being dropped by the kernel.

What are my options for improving the throughput of tcpdump?

I'm relatively new to the linux world, so be gentle...  :)

Jason
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe



-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Looking for advice to improve performance Price, Jason (Jan 07)
- Re: Looking for advice to improve performance George Bakos (Jan 07)
- <Possible follow-ups>
- RE: Looking for advice to improve performance Price, Jason (Jan 08)
  - Re: Looking for advice to improve performance Edin Dizdarevic (Jan 08)