Re: Best OS / Distribution for gigabit capture?

[Darren Reed <darren.reed () oracle com>]

On  5/02/11 11:20 PM, M. V. wrote:
> hi,
>
> as i mentioned in my previous mail, (with the title: "HUGE packet-drop") i'm
> having problem trying to dump gigabit traffic on harddisk with tcpdump on
> Debian5.0. i tried almost everything but got no success. so, i decided to
> start-over:
>
> *) if anyone has experience on successful gigabit capture, what combination of
> "Operating-System / Distribution / Kernel Version / libpcap version / ..." do
> you suggest for maximum zero-packet-loss capture?

What are you going to do with the packets?

Can you process the packets that you capture with few enough
CPU cycles that you never cause backlog?

If the time you spend dealing with the packets that you capture is
larger than the average time between packets, then it does not
matter if the first 1000 or 10000 packets are not lost, eventually
you will reach a point where the buffers fill and you drop packets.

Which is to say that the equation is just as much about what happens
when libpcap returns and you have your packets in buffers than what
happens in the kernel.

Darren

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.