> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Darren Reed > Sent: sabato 7 agosto 2004 13.19 > To: [EMAIL PROTECTED] > Subject: Re: [tcpdump-workers] advice for heavy traffic capturing > > > In some email I received from Motonori Shindo, sie wrote: > > Hi, > > > > I'm involved in a project to do some network traffic analysis. One of > > the goals of this project is to identify an equipment that is > > supposedly dropping packets. My idea to achieve this goal is to > > capture traffic by tcpdump at both sides of equipment in question and > > compare them to determine whether it is actually dropping packets (I > > probably need to do some programming here). > > First thing, you need to get yourself a network tap. > Something like this: > http://www.netoptics.com/products/product_family_details.asp?cid=1 > &pid=60&Section=products&menuitem=1 > That might not be the exact item you need, but it should put you on > the right path. > > This will cost you money. These devices are the only real way to go > if you want to have a hope of capturing full duplex data without loss. > > > My concern is how fast > > tcpdump can keep up with without any packet loss. > > This is not a tcpdump problem, so much as it is a choice of hardware > and operating system. > > If you can find out what buffering the various cards have to go into > the monitoring station, try and use (buy) the one with the most. > > Next, use BSD-something. Forget about Linux/Windows/Darwin.
Darren, could you please give us some numbers? If you take a look at this paper: F. Risso, L. Degioanni An architecture for high performance network analysis http://ieeexplore.ieee.org/iel5/7446/20240/00935450.pdf?tp=&arnumber=935450&; isnumber=20240&arSt=686&ared=693&arAuthor=Risso%2C+F.%3B+Degioanni%2C+L.%3B and this: L. Deri Improving Passive Packet Capture:Beyond Device Polling http://luca.ntop.org/Ring.pdf it seems that Windows is the most performing OS (without any ad-hoc patch). Do you have anything (possible published somewhere) supporting what you're saying? fulvio > Linux 2.6 seems to be much worse than 2.4 ever was. > > > The traffic that I > > have to monitor is around 150Mbps at a peak time. > > At that point, you may get upto 150Mpbs out without loss. > > However, you may have to build your own libpcap/tcpdump where you > increase the BPF buffer size upto 1MB or so if it doesn't get set > that high to start with. > > Similarly, to give yourself a good chance, you want to be using > hardware with high internal bandwidth (533Mhz FSB, etc.) If you > can, PCI-X or 64bit or 66MHz PCI. > > > I'd like to know which > > component is likely the most contributing factor to get higher > > performance. > > In testing upto 100Mbps, it was the NIC. > With 100BaseT NICs, the best was the Intel Pro 100S. > After that, the next bottle neck (with GigE cards) was PCI. > 33MHz, 32bit PCI is just on 1Gbps. I've been able to capture > at between 900Mbps-1Gbps with multiple NICs. > > Going to 66MHz and 64bit gets you 4Gbps. > > Darren > - > This is the tcpdump-workers list. > Visit https://lists.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
