using sniffer on high-bandwidth pipes
Alexei Roudnev
alex at relcom.net
Tue Dec 7 08:42:30 UTC 2004
We are using FreeBSD 4.x on 1Gbit Ethernet (for snifferring). Never had a
problems (but I should not garantee 100% snifferring on 400,000pps).
In reality, correct, pps is important, bandwidth is not important. If
traffic is VoIP, it's a problem; if it is 90% WEB, it's an easy task.
----- Original Message -----
From: "Steve Francis" <sfrancis at fastclick.com>
To: "todd romero" <todd at routeflap.net>
Cc: <nanog at nanog.org>
Sent: Friday, December 03, 2004 8:08 AM
Subject: Re: using sniffer on high-bandwidth pipes
>
> It probably depends more on pps than bandwidth.
> At a prior job, I used FreeBSD 4.x machines to capture over 400,000 pps,
> I think, on gigabit links.
> You need a nic that is supported with one of the device polling drivers
> to keep CPU manageable. (Intel, not yet broadcom.)
>
> FreeBSD far surpassed Solaris in packet capture performance.
>
> Linux 2.6 machines may do OK, using NAPI - but I've no experience with
that.
>
>
> todd romero wrote:
>
> >does anyone have expirience using a sniffer on a hi-capacity network
> >segment, that might know if there are limitations I need to worry about?
> >
> >example: customers doing EMC database replication across a mpls link, and
> >when the capacity reaches aprox. 250 Mbp/s packets are arriving out of
> >sequence etc. So we need to put sniffers on both sides to capture some
> >data to see whats happeneing when the capacity reaches 250mbps.
> >
> >what kind of system requirements would be needed to be able to be able to
> >capture that amount of data. For some reason, I dont think that the Dolch
> >Pac 65 sniffers we have (running nt4 and sniffer pro2) would be able to
> >handle that kind of data? If they cant, we can probbaly use a sun box.
> >what kind of specs would the box need?
> >
> >tia,
> >tr
> >
> >
>
More information about the NANOG
mailing list