Date: Fri, 3 Dec 2004 10:47:08 -0500 (EST) From: todd romero <todd@routeflap.net> To: nanog@nanog.org Subject: using sniffer on high-bandwidth pipes
does anyone have expirience using a sniffer on a hi-capacity network segment, that might know if there are limitations I need to worry about?
example: customers doing EMC database replication across a mpls link, and when the capacity reaches aprox. 250 Mbp/s packets are arriving out of sequence etc. So we need to put sniffers on both sides to capture some data to see whats happeneing when the capacity reaches 250mbps.
Well, there was a nice presentation at SANE 2004 about using Linux with some tweaks... It also compared it model and performance wise with the features available under FreeBSD (4.x IIRC): http://www.nluug.nl/events/sane2004/abstracts/ab.html?id=100 Luca is the man behind NTOP: http://www.ntop.org/ Luca showed that moderate hardware is capable of handling Gb/s speeds at above 90% capture rate if you use the right combination of logic and tools (PF_Ring). In his case a moderate P3 and I believe somewhere upwards of 600Mbps... The goal was mainly to reduce the load of the CPU to allow the machine to actually process the packets it has captured ;) The ntop website has some papers: http://www.ntop.org/documentation.html
tia, tr
Kind Regards, JP Velders