Wireshark mailing list archives

Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment

From: John Powell <jrp999 () gmail com>
Date: Fri, 14 Dec 2012 07:10:18 -0600

Hi Richard,

Never thought about XFS - I will definitely look into that!!

I think it should be rather trivial to create the XFS partitions in
kickstart.

Have you had any experience on how to split the Metadata to a separate
drive (I do have a 300 G SSD at my disposal).

Thanks for all your help!!

-John

On Thu, Dec 13, 2012 at 11:05 AM, Richard Sharpe <
realrichardsharpe () gmail com> wrote:

On Thu, Dec 13, 2012 at 8:59 AM, John Powell <jrp999 () gmail com> wrote:

Hi Ronnie,

I am capturing a 250 MB file every few seconds.  My ATOP reports:

MDD |          md2 | busy      0% | read       1  | write  15442 | KiB/r
4 | KiB/w      4 | MBr/s   0.00 | MBw/s  60.32  | avq     0.00 | avio

0.00

ms |
DSK |          sda | busy    107% | read       1  | write    205 | KiB/r
4 | KiB/w    506 | MBr/s   0.00 | MBw/s 101.33  | avq    93.88 | avio

4.51

ms |
DSK |          sdb | busy     92% | read       0  | write    191 | KiB/r
0 | KiB/w    511 | MBr/s   0.00 | MBw/s  95.50  | avq    86.84 | avio

4.20

ms |

I need the resulting files to be searchable by TSHARK and be able to

create

a PCAP extraction based on the search.

The dumpcap command being used is:

usr/local/bin/dumpcap -B 16 -i 4 -f vlan and (not vrrp and not udp port

and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b

duration:900

-w /data/eth2.cap

I am looking at using a SSD for my OS and my Capture volume which may

help

out with the Disk IO issue but eliminating the copy from the /TMP would
definitely be an asset.


That sounds like about 100MB/s.

If you can use a file system like XFS that can separate metadata from
data, and put your metadata on SSD, then you might find that a small
array of spinning disks is enough for you.

--
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 12)
- Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Evan Huus (Dec 12)
  - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 13)
- Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment ronnie sahlberg (Dec 12)
  - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Richard Sharpe (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 14)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Richard Sharpe (Dec 14)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Guy Harris (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Jeff Morriss (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 14)