From: Pekka Pietikainen <pp@ee.oulu.fi>
Date: Wed, 1 Dec 2010 14:19:57 +0200
To: Thomas Fjellstrom <thomas@fjellstrom.ca>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: Re: low overhead packet capturing on linux
Message-ID: <20101201121957.GA3747@ee.oulu.fi>
References: <201011301728.05197.thomas@fjellstrom.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <201011301728.05197.thomas@fjellstrom.ca>
zFrom: Pekka Pietikainen <pp@ee.oulu.fi>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1264
Lines: 24

On Tue, Nov 30, 2010 at 05:28:05PM -0700, Thomas Fjellstrom wrote:
> I'm working on a little tool to monitor and measure bandwidth use on a vm 
> host, down to keeping track of all guest and host bandwidth, including, 
> eventually per layer7 protocol use.
> 
> Right now I have a pretty simple setup, I setup an AF_PACKET socket, select on 
> it, and read data as it comes in. Obviously, this has a fatal flaw. It takes up 
> a rather large amount of cpu time just to capture the packets. On a GbE 
> interface, it uses up easily 60-80% cpu (on a 2.6Ghz amd phenom II cpu core) 
> just to capture the packets, trying to do anything fancy with them will likely 
> cause the kernel to drop some packets.
> 
> So what I'm looking for is a very low overhead way to capture packets. I've 
> come up with a few ideas, some of which I have no idea if they'd even work.
Have you checked out

http://public.lanl.gov/cpw/ (IIRC it's actually a part of recent libpcap,
but could be wrong) and http://www.ntop.org/PF_RING.html ?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/