North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: using sniffer on high-bandwidth pipes

  • From: JP Velders
  • Date: Fri Dec 03 17:10:12 2004

> Date: Fri, 3 Dec 2004 10:47:08 -0500 (EST)
> From: todd romero <[email protected]>
> To: [email protected]
> Subject: using sniffer on high-bandwidth pipes

> does anyone have expirience using a sniffer on a hi-capacity network
> segment, that might know if there are limitations I need to worry about?

> example: customers doing EMC database replication across a mpls link, and
> when the capacity reaches aprox. 250 Mbp/s packets are arriving out of
> sequence etc.  So we need to put sniffers on both sides to capture some
> data to see whats happeneing when the capacity reaches 250mbps.

Well, there was a nice presentation at SANE 2004 about using Linux
with some tweaks... It also compared it model and performance wise
with the features available under FreeBSD (4.x IIRC):

Luca is the man behind NTOP:

Luca showed that moderate hardware is capable of handling Gb/s speeds
at above 90% capture rate if you use the right combination of logic
and tools (PF_Ring). In his case a moderate P3 and I believe somewhere
upwards of 600Mbps... The goal was mainly to reduce the load of the
CPU to allow the machine to actually process the packets it has
captured ;)

The ntop website has some papers:

> tia,
> tr

Kind Regards,
JP Velders