tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How tcpdump determines the "dropped by kernel"?

From: Eliezer Croitoru <eliezer () ngtech co il>
Date: Mon, 25 Nov 2013 21:13:48 +0200
Hey,

Yes in high load it can cause some troubles.
The solution I could think about was a dedicated machine that would receive all traffic from the replication(HUB-like) port while the machine Ethernet is on promiscuous mode which will then capture all traffic from the network.
I do not know exactly how much resources it would take when there is an option for let say "pin" tcpdump to one or two cores while letting all the others handle the rest of the traffic. For a very high load I would need a big buffer or maybe a frame-buffer card that will help to reduce the load on the kernel while allowing less packet drops. 

Eliezer

On 25/11/13 16:23, Prashant Batra (prbatra) wrote:

Hi,

To add to tcpdump application eating out resources, it would degrade the performance of send/receive path in the 
kernel. Each packet going out from the kernel and received in would be cloned and then given to tcpdump application.
At very high load this would be significant.

Regards,
Prashant


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: