Re: Taking tcpdump traces on fairly high-speed links

[Rick Jones <rick_jones2 () hp com>]

Long Le wrote:
> Hi all,
>
> Does anyone have tips (other than increasing bpf size) for taking
> tcpdump traces on a fairly high-speed link (say, 1-Gbps link)
> without dropping too many packets?

Well, certainly, one has to have a disc subsystem that is as fast or
faster than the data rate of the link. 

I suppose that using async, direct I/O might have some benefits - help
keep the tcpdump process from blocking on a disc write when/if it
manages to fill the buffer cache. But ultimately, the sustained rate of
the trace has to be below the ustained limit of the disc/filesystem.

If you were doing full 1514 byte snaplens, that means having a disc
subsystem that can sustain ~125 MB/s...

rick jones
-- 
Wisdom Teeth are impacted, people are affected by the effects of events.
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to raj in cup.hp.com  but NOT BOTH...
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe