[76243] in North American Network Operators' Group
Re: using sniffer on high-bandwidth pipes
daemon@ATHENA.MIT.EDU (JP Velders)
Fri Dec 3 17:09:25 2004
Date: Fri, 3 Dec 2004 23:08:57 +0100 (CET)
From: JP Velders <jpv@veldersjes.net>
To: todd romero <todd@routeflap.net>
Cc: nanog@nanog.org
In-Reply-To: <20041203103450.R8910@ns.routeflap.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Date: Fri, 3 Dec 2004 10:47:08 -0500 (EST)
> From: todd romero <todd@routeflap.net>
> To: nanog@nanog.org
> Subject: using sniffer on high-bandwidth pipes
> does anyone have expirience using a sniffer on a hi-capacity network
> segment, that might know if there are limitations I need to worry about?
> example: customers doing EMC database replication across a mpls link, and
> when the capacity reaches aprox. 250 Mbp/s packets are arriving out of
> sequence etc. So we need to put sniffers on both sides to capture some
> data to see whats happeneing when the capacity reaches 250mbps.
Well, there was a nice presentation at SANE 2004 about using Linux
with some tweaks... It also compared it model and performance wise
with the features available under FreeBSD (4.x IIRC):
http://www.nluug.nl/events/sane2004/abstracts/ab.html?id=100
Luca is the man behind NTOP:
http://www.ntop.org/
Luca showed that moderate hardware is capable of handling Gb/s speeds
at above 90% capture rate if you use the right combination of logic
and tools (PF_Ring). In his case a moderate P3 and I believe somewhere
upwards of 600Mbps... The goal was mainly to reduce the load of the
CPU to allow the machine to actually process the packets it has
captured ;)
The ntop website has some papers:
http://www.ntop.org/documentation.html
> tia,
> tr
Kind Regards,
JP Velders
