[76236] in North American Network Operators' Group
Re: using sniffer on high-bandwidth pipes
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Dec 3 15:20:18 2004
In-Reply-To: <41B08F6B.3090103@fastclick.com>
Cc: todd romero <todd@routeflap.net>, nanog@nanog.org
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Fri, 3 Dec 2004 21:19:21 +0100
To: Steve Francis <sfrancis@fastclick.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 3-dec-04, at 17:08, Steve Francis wrote:
> It probably depends more on pps than bandwidth.
Although if you have very high bandwidth you may run into trouble with
the PCI bus. 33 MHz 32 bit PCI can barely manage 1 Gbps, and that's
withough taking overhead into account.
> At a prior job, I used FreeBSD 4.x machines to capture over 400,000
> pps, I think, on gigabit links.
I managed to do 600k with 32% CPU on a non-too-high-end machine two
years ago. (Just taking the packets off the wire and running them
through BPF, no processing, though.)
If you use BPF or pcap, don't forget to increase the capture buffer or
you'll have overruns, and don't capture more of the packet than you
need.
