On Tue, 4 Dec 2007, Peter Losher wrote:
I am currently working on a tcpdump collector where we have multiple feeds
coming in (via bge{0-8}). Since tcpdump can only poll one interface per
process, I was hoping to aggregate the traffic onto one pseudo-interface for
tcpdump to hold onto and to poll.
Looking thru the archives, it seems ng_one2many (in this case 'many2one') is
what I am looking for. Am I barking the right tree here?
Depending on the configuration of the system (number of interfaces, number of
CPUs, etc), you may find that running many tcpdump sessions results on greater
throughput due to making better use of parallelism. For example, if you have
eight cores and four interfaces, then you can end up running with one ithread
and one tcpdump session, each on their own CPU, per interface. Of course, if
you have many more interfaces than CPUs/pairs, then you just end up with much
more context-switching, which will hurt performance. BTW, if you find you're
getting packet loss in BPF processing at high rates, we should have you try
the zero-copy BPF patches. Finally, another configuration you might consider
is a single 10gbps card configured as a vlan trunk attached to a switch
serving the various vlans to various switch ports. I'm not sure if that will
be faster or lower, but it would be different. :-)
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
