Capturing heavy traffic
Posted by creining | Filed under Security
There is an interesting discussion taking place on the tcpdump mailing list about heavy traffic capturing (150Mbps). From my experience there is a whole chain of factors that play into capturing traffic at high speeds. Starting with the NIC card performance issues can crop up if the card does not have adequate buffer space (Intel’s 100 ProS or 1000MX have 128K for receive for example). From there the NIC has to make IR’s to get more data for both sending and receiving. This is an OS issue, it must have fast interrupt request handling code. Next the buffer has to be copied off the card into typically the IP stack of the OS and then and only then your application has to copy the packet out of BPF. Now there are improvements that have been made to address these bottlenecks, for instance, using MMAP to minimize packet copies (Phil Wood’s libpcap patch) and modifications directly to BPF. The discussion on the tcpdump list suggests similar, using a TAP (like Net Optics), hardware with high internal bandwidth such as 533MHz or greater FSB, PCI-X or 64bit/66MHz, a decent NIC card, and a *BSD OS. A very interesting paper cited is Improving Passive Packet Capture: Beyond Device Polling.
Comments are closed.