Re: using sniffer on high-bandwidth pipes

["Alexei Roudnev" <alex () relcom net>]

We are using FreeBSD 4.x on 1Gbit Ethernet (for snifferring). Never had a
problems (but I should not garantee 100% snifferring on 400,000pps).

In reality, correct, pps is important, bandwidth is not important. If
traffic is VoIP, it's a problem; if it is 90% WEB, it's an easy task.

----- Original Message ----- 
From: "Steve Francis" <sfrancis () fastclick com>
To: "todd romero" <todd () routeflap net>
Cc: <nanog () nanog org>
Sent: Friday, December 03, 2004 8:08 AM
Subject: Re: using sniffer on high-bandwidth pipes


> It probably depends more on pps than bandwidth.
> At a prior job, I used FreeBSD 4.x machines to capture over 400,000 pps,
> I think, on gigabit links.
> You need a nic that is supported with one of the device polling drivers
> to keep CPU manageable. (Intel, not yet broadcom.)
>
> FreeBSD far surpassed Solaris in packet capture performance.
>
> Linux 2.6 machines may do OK, using NAPI - but I've no experience with
that.
> todd romero wrote:
>
> > does anyone have expirience using a sniffer on a hi-capacity network
> > segment, that might know if there are limitations I need to worry about?
> >
> > example: customers doing EMC database replication across a mpls link, and
> > when the capacity reaches aprox. 250 Mbp/s packets are arriving out of
> > sequence etc.  So we need to put sniffers on both sides to capture some
> > data to see whats happeneing when the capacity reaches 250mbps.
> >
> > what kind of system requirements would be needed to be able to be able to
> > capture that amount of data. For some reason, I dont think that the Dolch
> > Pac 65 sniffers we have (running nt4 and sniffer pro2) would be able to
> > handle that kind of data?  If they cant, we can probbaly use a sun box.
> > what kind of specs would the box need?
> >
> > tia,
> > tr