[2246] in linux-net channel archive
RE: Optimizing for packet sniffing
daemon@ATHENA.MIT.EDU (ATPlack@scj.com)
Mon Mar 25 19:33:02 1996
From: ATPlack@scj.com
Date: 25 Mar 96 16:10:09 -0600
To: Nick.Holloway@alfie.demon.co.uk,
submit-linux-dev-net@ratatosk.yggdrasil.com
1. The best PCMCIA card that I have found (believe this or not) is the IBM
Ethernet PCMCIA. It supports full promiscuous mode and we have never lost
any packets with this. 3COM cards do not pass bad or malformed packets to
the drivers, so not all packets are available. Stay away from these cards
if you want to do real sniffing.
2. I have a similar setup with a different piece of software (Novell
LANalyzer for Windows). The laptop is a 486DX/50 w/ 8M RAM. We also have a
true 1Gb sniffer. My laptop has been able to do full Ethernet 10Mb line
captures @ 75% wire utilization and shows no difference in packet capture
from the true sniffer. (That is under Windows). Linux should be better and
more power friendly. It is not like an NT which always requires more
hardware to get the job done. A P90 is nice but more memory will do you
better.
3. The problem you identify is exactly the problem I face in connecting to
Microsoft.com. The exact problem leads me to believe it is in the Windows
NT IP stack that there is a problem. We also notice a performance
degradation on the local NT box when FTP is attempted. That is with 3.51.
4. Not all PCMCIA slots have the same throughput.
5. I will leave your other questions to the greats that haunt these lines.
----------
From: Nick.Holloway@alfie.demon.co.uk
To: WT00036
Subject: Optimising for packet sniffing
Date: Monday, March 25, 1996 2:53PM
Path: not-for-mail
Newsgroups: linux.dev.net
Organization: Alfie's Internet Node
Lines: 24
X-Submitted-Via: news@ratatosk.yggdrasil.com (linux.* gateway)
Precedence: bulk
I've installed Linux 1.3.75 on a 486sx20 laptop with 8Mb of RAM, so I
can use tcpdump to try and get a handle on a problem we are seeing.
The worrying aspect is that I get "Couldn't get a free page" reasonably
often. Are there parameters I can tune in /proc/sys to try and help
with keeping memory available for incoming packets?
Does anybody have a feeling for whether I will be losing packets
a significant number of packets on the above setup (ethernet card
is a PCMCIA Grey Cell card) -- i.e. can I expect to be able to grab
back-to-back packets off the wire? Should I commandeer a P90 with a
3c509 instead?
PS: The problem we are seeing is that Win 3.11 with MS/TCP 3.11b
talking to NT 3.1 is suffering from spurious "Connection reset by peer".
Looking at a packet trace, it appears I don't get the second part of a
"FIN" closedown. Does this ring any bells with anyone?
PPS: Is the order of the packets printed by tcpdump more reliable than the
timestamps? I'm getting non-monotonic times for the fraction of a second.
--
`O O' | Home: Nick.Holloway@alfie.demon.co.uk
// ^ \\ | Work: Nick.Holloway@parallax.co.uk
http://www.parallax.co.uk/~alfie/
