Hello,
I have a requirement to capture network traffic on 5 Fast Ethernet cards
simultaneously and store it in the local file system using tcpdump utility
(3.7.2 Latest).
I ran some initial tests on RH 2.4.9 based kernel on a test machine with:
2 Xeon 2.8 GHz/512 KB Cache
1 GB RAM
U160 10K SCSI drives on Hardware RAID 1 under Compaq SmartArray controller
(cciss.o)
4 Intel Ether Expro 100 Tx cards (eepro100.o), 1 Broadcom Gigabit (tg3.o)
All connected to a Cisco Fast Ethernet Switch (100 Tx only)
I captured approx 3 million packets of 1500 bytes on each adapter
simultaneously over a period few minutes (it takes about 10 secs to fill up
approx 500 MB in the EXT2 file system). During this period CPU (nearly 100%
utilised), Memory (only few megabytes remained as free, rest all occupied by
cache/buffer) and IO were really busy. The tcpdump utility reported that
kernel hasn't dropped a single packet in that duration, which is a good news.
Is there anyone out there who has done similar work and would like to share
the knowledge about:
1. Kernel version
2. File system used (parameters if any)
3. Network card and driver
4. SCSI/HW RAID controller card and driver
5. Tunning parameters for any sub-system if any
6. Any advise in general (don't use more than 1 GB RAM, use XFS, use aa/rmap,
use 2.5 :-) etc..)
What I am really worried about is kernel may start dropping the packets after
few hours/days and/or tcpdump/kernel may not be able to keep up with the
network load due to IO load on the hard drives, memory pressure etc..
Are there any known bad effects on a 4 GB RAM configuration? (the production
system will have 4 GB RAM)
By tomorrow I will have the opportunity to run it for few hours and see if it
misbehaves (on 2.4.18-RH-latest and 2.4.20/21-pre. -aa if possible). I could
also capture vmstat etc..
Thanks for your help.
--
Hari
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 13 March 2003 14:51, Srihari Vijayaraghavan wrote:
> Is there anyone out there who has done similar work and would like to share
> the knowledge about:
Have a look at http://www.endace.com/. They have done it in hardware.
Torsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+cJTWwicyCTir8T4RAnwxAJsF2xJBzwemer1Pt42EKV5Kb6ArxACgmt5g
/rqXukvi2xoZWm2GXeUWpYw=
=XwNO
-----END PGP SIGNATURE-----
On Fri, Mar 14, 2003 at 12:51:19AM +1100, Srihari Vijayaraghavan wrote:
[...]
> What I am really worried about is kernel may start dropping the packets after
> few hours/days and/or tcpdump/kernel may not be able to keep up with the
> network load due to IO load on the hard drives, memory pressure etc..
find a libpcap using CONFIG_PACKET_MMAP, and you will probably forget about
drops IMHO
if you do find it, please let me now
I'm currently using pandora's monitor modified libpcap.... GREAT
I think that Linux is the only OS that provides user space buffers to packet
capture... am I wrong?
Maybe this is an offtopic on this mailing list...
...so this is my first and last mail about it here.
Ulisses
Debian GNU/Linux: a dream come true
-----------------------------------------------------------------------------
"Computers are useless. They can only give answers." Pablo Picasso
---> Visita http://www.valux.org/ para saber acerca de la <---
---> Asociaci?n Valenciana de Usuarios de Linux <---