Aggregating many ports into one for tcpdump server.
Robert Watson
rwatson at FreeBSD.org
Wed Dec 5 01:43:07 PST 2007
On Wed, 5 Dec 2007, Vlad GALU wrote:
>> Depending on the configuration of the system (number of interfaces, number
>> of CPUs, etc), you may find that running many tcpdump sessions results on
>> greater throughput due to making better use of parallelism. For example,
>> if you have eight cores and four interfaces, then you can end up running
>> with one ithread and one tcpdump session, each on their own CPU, per
>> interface. Of course, if you have many more interfaces than CPUs/pairs,
>> then you just end up with much more context-switching, which will hurt
>> performance. BTW, if you find you're getting packet loss in BPF processing
>> at high rates, we should have you try the zero-copy BPF patches. Finally,
>> another configuration you might consider is a single 10gbps card configured
>> as a vlan trunk attached to a switch serving the various vlans to various
>> switch ports. I'm not sure if that will be faster or lower, but it would
>> be different. :-)
>
> I would like to try the aforementioned patches too. Can you please point me
> to a link?
You can download our experimental tarball from here:
http://www.watson.org/~robert/freebsd/20071103-zcopybpf.tgz
You can find a BSDCan quick talk on the topic here:
http://www.watson.org/~robert/freebsd/2007bsdcan/20070517-devsummit-zerocopybpf.pdf
I've had several reports of significantly improved packet capture rates at
high speeds with it, but it's not yet in the tree because we feel it needs
more evaluation and review. I hope to ship some form of zero-copy BPF buffer
support in FreeBSD 8, and possibly even MFC it. Any feedback you might have
would be most helpful.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-net
mailing list