[46436] in North American Network Operators' Group
Re: Let's talk about Distance Sniffing/Remote Visibility
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Thu Mar 28 13:14:49 2002
Date: Thu, 28 Mar 2002 13:14:17 -0500
From: Richard A Steenbergen <ras@e-gerbil.net>
To: "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
Cc: CARL.P.HIRSCH@sargentlundy.com, nanog@merit.edu
Message-ID: <20020328181413.GC6296@overlord.e-gerbil.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.20.0203281754180.6674-100000@www.everquick.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Mar 28, 2002 at 05:59:20PM +0000, E.B. Dreger wrote:
>
> I like to log interesting packets; I agree with Carl.
Logging interesting packets is easy enough, its logging ALL packets that
would be a problem. At any rate, you'd run out of harddrive space pretty
quick if you were pushing max performance at any length of time. I can
write a linerate FastE's worth of data to a $100 IDE disk on a $100
processor easily enough, so as long as you're buffering it intelligently
it shouldn't be an issue.
> > Or if you're comfortable writing kernel code, I recommend you
> > make a character device for sniffer device control, and use it
> > to pass page-aligned malloc'd memory pointers from userland
> > into the nic driver, which you then pass to the card as the RX
> > ring buffers. This will let you DMA your packets directly into
> > userland. If not, at least unhook ether_input(). :)
>
> Never done this. About how much "capacity" does the zero-copy
> approach add?
Eliminating the bulk "data" being DMA's across the PCI bus is what adds
most of your "capacity". Doing zero copy just lets you spend all your CPU
time doing actual analysis instead of copying stuff around unnecessarily.
I never did get the opportunity to benchmark it at 1.4million packets/sec,
(I spent more time trying to get the 20ft of fiber to reach the lab at the
previous employeer than I did writing the code to do this in the first
place) but I don't see any reason it shouldn't work, with proper interrupt
coalescing of course.
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
