tcpdump mailing list archives
Re: HUGE packet-drop
From: Gabe Black <Gabe.Black () jdsu com>
Date: Mon, 24 Jan 2011 08:04:48 -0800
Just some ideas to help. I have an application that is trying to capture, modify, resequence, and route very small packets. The configuration I found the best is the following (for kernel parameters): sysctl -w net.core.wmem_max=1310710 sysctl -w net.core.rmem_max=1310710 sysctl -w net.core.wmem_default=1249280 sysctl -w net.core.rmem_default=1249280 sysctl -w net.core.netdev_budget=1024 sysctl -w net.core.dev_weight=128 sysctl -w net.core.netdev_max_backlog=10000 sysctl -w net.ipv4.udp_mem="11416320 15221760 22832640" sysctl -w net.core.optmem_max=40960 I also used ethtool with the -G option to increase the nic's hardware buffers to their max. The machine it is running on is pretty beefy, but cpu cycles are not limiting the throughput. I found the factor that effected performance the most is cache coherency and limiting inter-process interrupts. The best way I found to do this was to have the application that is receiving the packets running on the same cores that the kernel is pulling them off the nic. Since my machine had two chips each with 4-6 cores (8-12 logical cores), I limited my application to run on the same chip as the nic was receiving its interrupts. To control which logical core the nic handles the interrupts: cat /proc/interrupts | grep eth[number] That should show you the irq(s) that handles the interrupts. Then do something like: echo "1" > /proc/irq/[irq#_from_above]/smp_affinity to set what core handles the interrupt (1 is a bitmask saying to use the first logical core). Finally do something like: taskset -p 0x5 [your application i.e. tcpdump] (0x5 is a bitmask saying which cpu cores to use) to control what cores the process gets scheduled on. I found this the best way to get the most throughput out of the application, and the most likely way to reproduce results. Without doing this, I would get some runs that performed well, and others that were junk, and most that wavered. Oh, stop the irqbalancer service as that may overwrite what you did to the /proc/irq/# Also use top to monitor your top processes. If you see a ksoftirqd service getting lots of cpu cycles, you will be dropping packets and may be a good indicator that you should try a different irq#. Good luck. If you find any other tips to squeeze more performance please write back as I am also trying to squeeze the most performance possible out of my application. - Gabe Black -----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of M. V. Sent: Sunday, January 23, 2011 9:42 AM To: tcpdump-workers Subject: [tcpdump-workers] HUGE packet-drop hi guys, i'm stucked with a confusing problem. i'm trying to dump gigabit network traffic to file. i'm using Debian5.0.3 AMD64 on an HP Proliant DL360 G5 (2*Quad-Core 2.33 hz - 4GiB RAM - 2*76GiB HardDisk). but whatever i try, even at 600Mbps rate, i got a huge packet-drop. *) i tried both tcpdump (1.1.1) && dumpcap (1.4.3) : (got similar results) - dumpcap -i eth0 -w /dump_folder/dump.pcap [-b filesize:150000] -s 0 - tcpdump -i eth0 -w /dump_folder/dump.pcap -s 0 *) i tried recompiling those two, with different libpcap versions (0.9.8 has best result, and i tried 1.0 and .1.1.1) *) i tried playing with kernel parameters: net.core.rmem_default = 40971510 net.core.rmem_max = 40971510 net.core.wmem_default = 40971510 net.core.wmem_max = 40971510 net.core.netdev_max_backlog = 300000 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.core.optmem_max = 2048000 .... *) i even tried writing on different disks (SDD, RamDisk): no change in results. ----------------------------------------------------------------------------------------- the result is not good at all. these are my tests and results: * iperf server: iperf -s -u 5 * iperf client : iperf -c ... -u -b 600m -t 10000 for dumping traffic at 600Mbps for 150 seconds, this is the best result i had so far: total received packets: ~8,000,000 dropped packets: ~3,500,000 so my best result is more than 40% packet-drop, which is a disaster. can anyone help me with this? any suggestions? am i doing something terribly wrong? thank you. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- HUGE packet-drop M. V. (Jan 23)
- Re: HUGE packet-drop Gabe Black (Jan 24)
- Re: HUGE packet-drop Rick Jones (Jan 24)
- Re: HUGE packet-drop Cedric Cellier (Jan 24)
- Re: HUGE packet-drop Cedric Cellier (Jan 24)
- Re: HUGE packet-drop M. V. (Jan 26)
- Re: HUGE packet-drop Jesper Dangaard Brouer (Jan 31)
- Re: HUGE packet-drop Guy Harris (Feb 06)
- Re: HUGE packet-drop Luca Bruno (Feb 06)
- Re: HUGE packet-drop Guy Harris (Feb 06)
- Re: HUGE packet-drop Jesper Dangaard Brouer (Jan 31)
- Re: HUGE packet-drop Gabe Black (Jan 24)
- <Possible follow-ups>
- Re: HUGE packet-drop M. V. (Feb 07)
- Re: HUGE packet-drop rixed (Feb 07)