Aggregating many ports into one for tcpdump server.
Robert Watson
rwatson at FreeBSD.org
Tue Dec 4 18:22:44 PST 2007
On Tue, 4 Dec 2007, Peter Losher wrote:
> I am currently working on a tcpdump collector where we have multiple feeds
> coming in (via bge{0-8}). Since tcpdump can only poll one interface per
> process, I was hoping to aggregate the traffic onto one pseudo-interface for
> tcpdump to hold onto and to poll.
>
> Looking thru the archives, it seems ng_one2many (in this case 'many2one') is
> what I am looking for. Am I barking the right tree here?
Depending on the configuration of the system (number of interfaces, number of
CPUs, etc), you may find that running many tcpdump sessions results on greater
throughput due to making better use of parallelism. For example, if you have
eight cores and four interfaces, then you can end up running with one ithread
and one tcpdump session, each on their own CPU, per interface. Of course, if
you have many more interfaces than CPUs/pairs, then you just end up with much
more context-switching, which will hurt performance. BTW, if you find you're
getting packet loss in BPF processing at high rates, we should have you try
the zero-copy BPF patches. Finally, another configuration you might consider
is a single 10gbps card configured as a vlan trunk attached to a switch
serving the various vlans to various switch ports. I'm not sure if that will
be faster or lower, but it would be different. :-)
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-net
mailing list