Hi, Can the problem with the dropped frames be due to poor storage performance?
I was wondering if one can achieve what NAI's Infinistream does by coupling a nice server pc (2 x Xeons 3GHz with 4 GB ram) with a NetApp or EMC NAS solution for better I/O performance. Infinistream is afterall using only a RAID5 config. Any comments? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Heroux Sent: Thursday, November 20, 2003 4:58 AM To: [EMAIL PROTECTED] Subject: [Ethereal-users] tcpdump vs ethereal I am experiencing some proof of concept of using ethereal to replace our distributed sniffer and I see some differences between the traces. It would runs on gigabits links, on a RH-9 with 1GB Ram on with altheon gigabit cards on optic fiber (SX) We are spanning ports using Cisco 6509 I have 2 interfaces in my proof of concept box, one to sniff and one to access it... I am accessing it through eth1 and sniffing with eth0 eth0 is promiscous and have no IP address... Here's some quick numbers from a quick trace :-) Distributed sniffer: 2844520 packets captures, no drop tcpdump: 2842639 packets captures, some drop (1881) tcpdump -w /dev/null -i eth0 But doing it with ethereal gives 2830298 packets captures, some drop (14222) So I turned the swap off and did the same test (swapoff -a)... no program in swap should increase the performance due to page swaping time... Distributed sniffer: 3025830 packets captures, no drop tcpdump: 3013675 packets captures, (1105 drops) ethereal: 2984633 packets captures, (30147 drops) The switch reports no errors on the ports The interface on which I sniff reports no error or dropped The ethereal -v issue the following ethereal 0.9.16 Compiled with GTK+ 1.2.10, with GLib 1.2.10, with libpcap 0.7.2, with libz 1.1.4, with Net-SNMP 5.0.6, without ADNS Running with libpcap (version unknown) on Linux 2.4.20-6 As of libpcap rpm -qa | grep libpcap returns the following libpcap-0.7.2-1 Now, here are my questions: 1- why does tcpdump don't get the same amount of packets as a regular sniffer (Dolch for instance) I am using one of the best gigabit card on the market I should get the same result. BTW the altheon card can be driven to wire speed, I saw it on an Auspex. 2- why does ethereal which uses tcpdump don't read the same amount of packets ? 3- is there a any work around ? 4- Any other way than tcpdump (libpcap) to sniff and get no or less packet drops, with ethereal ? Any help will be appreciated M.H. _______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users
