tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Endace DAG card

From: Stephen Donnelly <stephen () endace com>
Date: Thu, 27 Sep 2007 09:10:39 +1200
On Wed, 2007-09-26 at 10:09 +0200, Michele Sciuto wrote:

Hi,
I'm using a DAG 4.3GE card to capture traffic and I just have to clarify 
some points.

Since I need the acquired data in libpcap format, I was wondering if it 
would be better to use dagsnap followed by dagconvert or, alternatively, 
tcpdump with the dag patch. Does somebody know which is the best choice, 
considering performance?


Generally the highest possible performance writing to disk would be to
use dagsnap with the -j option capturing in ERF format.


From an informational viewpoint, you are better to process in ERF format

directly where possible, as the conversion to pcap format loses
timestamp precision and some packet metadata.

The upcoming DLT_ERF works around the information loss issue but still
imposes memory, bandwidth and cpu overheads compared to using ERF
directly.

If you do need to process in pcap format, you can either capture in ERF
format and post-convert (dagsnap then dagconvert or editcap), or capture
directly with dagconvert (dagconvert -d), or use libpcap based software
such as tcpdump or tshark.


And again, so far I can see the card as /dev/dag0 and I just used 
dagsnap to capture data. Somehow, is it possible to see the dag 
interface with ifconfig (I mean configuring it in 
/etc/network/interfaces), in order to use netstat to check the counters?


No, as the DAG is not presented as a network interface to Linux. dagfour
or dagconfig can be used, or you can access the statistics via the DAG
configuration and status API from your own software.

Regards,
Stephen.
-- 
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: