Aggregating many ports into one for tcpdump server.
Vlad GALU
dudu at dudu.ro
Wed Dec 5 01:25:38 PST 2007
On 12/5/07, Robert Watson <rwatson at freebsd.org> wrote:
>
> On Tue, 4 Dec 2007, Peter Losher wrote:
>
> > I am currently working on a tcpdump collector where we have multiple feeds
> > coming in (via bge{0-8}). Since tcpdump can only poll one interface per
> > process, I was hoping to aggregate the traffic onto one pseudo-interface for
> > tcpdump to hold onto and to poll.
> >
> > Looking thru the archives, it seems ng_one2many (in this case 'many2one') is
> > what I am looking for. Am I barking the right tree here?
>
> Depending on the configuration of the system (number of interfaces, number of
> CPUs, etc), you may find that running many tcpdump sessions results on greater
> throughput due to making better use of parallelism. For example, if you have
> eight cores and four interfaces, then you can end up running with one ithread
> and one tcpdump session, each on their own CPU, per interface. Of course, if
> you have many more interfaces than CPUs/pairs, then you just end up with much
> more context-switching, which will hurt performance. BTW, if you find you're
> getting packet loss in BPF processing at high rates, we should have you try
> the zero-copy BPF patches. Finally, another configuration you might consider
> is a single 10gbps card configured as a vlan trunk attached to a switch
> serving the various vlans to various switch ports. I'm not sure if that will
> be faster or lower, but it would be different. :-)
I would like to try the aforementioned patches too. Can you please
point me to a link?
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
Mahnahmahnah!
More information about the freebsd-net
mailing list