capturing packets on 250mb link

Ganbold ganbold at micom.mng.net
Mon Apr 28 09:13:23 UTC 2008 

Vlad GALU wrote:
> On 4/28/08, Ganbold <ganbold at micom.mng.net> wrote:
>   
>> Vlad,
>>
>>
>>  Vlad GALU wrote:
>>
>>     
>>> On 4/28/08, Ganbold <ganbold at micom.mng.net> wrote:
>>>
>>>
>>>       
>>>> Hi all,
>>>>
>>>>  What is the best way to capture packets on 250mb link?
>>>>  What kernel features/modules or tools (less CPU/RAM overhead) should I
>>>>         
>> use?
>>     
>>>>         
>>>    Given your OS version, I'd say that setting the BPF buffer size to
>>> around 1MB and setting the monitor flag on the capture interface would
>>> give you very good results. In that combination we've been doing
>>> packtet capture at gigabit speeds without packet loss.
>>>
>>>
>>>       
>>  Thanks Vlad. So then it means something like following will work in our
>> case:
>>
>>  #sysctl net.bpf.bufsize: 1048576
>>  #ifconfig bge1 monitor up
>>  #tcpdump -i bge1 -s0 -w capture.log -C 2048 -W 100
>>
>>  Correct me if I'm wrong here.
>>     
>
>
>     Yes, it should do the job. However I can't understand why you want
> a snaplen of 0, as 68 should be the minimum to accomodate the
> ethernet+ip+tcp/udp headers.
>   
Thanks Vlad.
According to tcpdump(1):

       -s     Snarf  snaplen  bytes  of  data from each packet rather 
than the
              default of 68 (with SunOS's NIT, the minimum  is  
actually  96).
              68  bytes is adequate for IP, ICMP, TCP and UDP but may 
truncate
              protocol information from  name  server  and  NFS  
packets  (see
              below).   Packets  truncated  because  of a limited 
snapshot are
              indicated in the output with ``[|proto]'', where  proto  
is  the
              name of the protocol level at which the truncation has 
occurred.
              Note that taking larger snapshots both increases the  
amount  of
              time it takes to process packets and, effectively, 
decreases the
              amount of packet buffering.  This may cause packets to be  
lost.
              You  should  limit snaplen to the smallest number that 
will cap-
              ture the protocol information  you're  interested  in.   
Setting
              snaplen  to 0 means use the required length to catch whole 
pack-
              ets.

Ganbold

>   
>>  thanks,
>>
>>  Ganbold
>>
>>
>>
>>     
>>>       
>>>>  I have FreeBSD 7.0-STABLE machine (
>>>>  CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2822.51-MHz 686-class CPU),
>>>>  FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
>>>>  1GM RAM, ad2: 76319MB <Maxtor 6L080M0 BANC1G10> at ata1-master
>>>>         
>> SATA150).
>>     
>>>>  #uname -an
>>>>  FreeBSD ng1.micom.mng.net 7.0-STABLE FreeBSD 7.0-STABLE #3: Sat Apr 26
>>>> 14:08:06 ULAT 2008     tsgan at ng1.micom.mng.net:/usr/obj/usr/src/sys/NG
>>>>         
>> i386
>>     
>>>>  #pciconf -lv|more
>>>>  ...
>>>>  bge0 at pci0:2:0:0:        class=0x020000 card=0x1659103c chip=0x165914e4
>>>> rev=0x11 hdr=0x00
>>>>   vendor     = 'Broadcom Corporation'
>>>>   device     = 'BCM5721 NetXtreme Gigabit Ethernet PCI Express'
>>>>   class      = network
>>>>   subclass   = ethernet
>>>>  ...
>>>>
>>>>  Are there any considerations on hardware?
>>>>
>>>>  thanks in advance,
>>>>
>>>>  Ganbold
>>>>
>>>>  --
>>>>  Cats, no less liquid than their shadows, offer no angles to the wind.
>>>>
>>>>  _______________________________________________
>>>>  freebsd-net at freebsd.org mailing list
>>>>  http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>>  To unsubscribe, send any mail to
>>>> "freebsd-net-unsubscribe at freebsd.org"
>>>>
>>>>
>>>>
>>>>         
>>>
>>>
>>>       
>>  --
>>  Look out! Behind you!
>>
>>     
>
>
>   


-- 
Slowly and surely the Unix crept up on the Nintendo user ...

More information about the freebsd-net mailing list