Re: advice for heavy traffic capturing

["Fulvio Risso" <fulvio.risso () polito it>]

> -----Original Message-----
> From: tcpdump-workers-owner () lists tcpdump org
> [mailto:tcpdump-workers-owner () lists tcpdump org]On Behalf Of Darren Reed
> Sent: sabato 7 agosto 2004 13.19
> To: tcpdump-workers () lists tcpdump org
> Subject: Re: [tcpdump-workers] advice for heavy traffic capturing
>
>
> In some email I received from Motonori Shindo, sie wrote:
> > Hi,
> >
> > I'm involved in a project to do some network traffic analysis. One of
> > the goals of this project is to identify an equipment that is
> > supposedly dropping packets. My idea to achieve this goal is to
> > capture traffic by tcpdump at both sides of equipment in question and
> > compare them to determine whether it is actually dropping packets (I
> > probably need to do some programming here).
>
> First thing, you need to get yourself a network tap.
> Something like this:
> http://www.netoptics.com/products/product_family_details.asp?cid=1
> &pid=60&Section=products&menuitem=1
> That might not be the exact item you need, but it should put you on
> the right path.
>
> This will cost you money.  These devices are the only real way to go
> if you want to have a hope of capturing full duplex data without loss.
>
> > My concern is how fast
> > tcpdump can keep up with without any packet loss.
>
> This is not a tcpdump problem, so much as it is a choice of hardware
> and operating system.
>
> If you can find out what buffering the various cards have to go into
> the monitoring station, try and use (buy) the one with the most.
>
> Next, use BSD-something.  Forget about Linux/Windows/Darwin.

Darren, could you please give us some numbers?
If you take a look at this paper:

  F. Risso, L. Degioanni
  An architecture for high performance network analysis

http://ieeexplore.ieee.org/iel5/7446/20240/00935450.pdf?tp=&arnumber=935450&;
isnumber=20240&arSt=686&ared=693&arAuthor=Risso%2C+F.%3B+Degioanni%2C+L.%3B

and this:

  L. Deri
  Improving Passive Packet Capture:Beyond Device Polling
  http://luca.ntop.org/Ring.pdf

it seems that Windows is the most performing OS (without any ad-hoc patch).
Do you have anything (possible published somewhere) supporting what you're
saying?

        fulvio



> Linux 2.6 seems to be much worse than 2.4 ever was.
>
> > The traffic that I
> > have to monitor is around 150Mbps at a peak time.
>
> At that point, you may get upto 150Mpbs out without loss.
>
> However, you may have to build your own libpcap/tcpdump where you
> increase the BPF buffer size upto 1MB or so if it doesn't get set
> that high to start with.
>
> Similarly, to give yourself a good chance, you want to be using
> hardware with high internal bandwidth (533Mhz FSB, etc.)  If you
> can, PCI-X or 64bit or 66MHz PCI.
>
> > I'd like to know which
> > component is likely the most contributing factor to get higher
> > performance.
>
> In testing upto 100Mbps, it was the NIC.
> With 100BaseT NICs, the best was the Intel Pro 100S.
> After that, the next bottle neck (with GigE cards) was PCI.
> 33MHz, 32bit PCI is just on 1Gbps.  I've been able to capture
> at between 900Mbps-1Gbps with multiple NICs.
>
> Going to 66MHz and 64bit gets you 4Gbps.
>
> Darren
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.