Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment

From: Evan Huus <eapache () gmail com>
Date: Wed, 12 Dec 2012 14:42:43 -0500
Hi John,

If you don't need the entire payload of every packet (for example, if
the signalling you care about is always within the first n bytes of
the header of a packet), then you can use the -s option to write only
the first n bytes of each packet to disk.

Otherwise, you've listed all of the other things I was going to suggest.

Hope this helps,
Evan

On Wed, Dec 12, 2012 at 2:33 PM, John Powell <jrp999 () gmail com> wrote:

Hi Everyone,

I am using DUMPCAP to capture packets in a high packet rate environment.

My operating system is: CENTOS 6.3

I am experience this problem on source compiled versions:  wireshark-1.6.12
and wireshark-1.8.4.

In order to allow DUMPCAP to be run as a NON-ROOT user I am using the
following:

setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap -v

The issue is that I am experiencing packet loss to apparent disk contention
when writing the packets to the disk - see attached file:
packet-loss-atop.txt

To help alleviate the problem I have tried the following:

Disabled SELINUX
Disabled AUDIT
RAID 0 (striped disks) to load share the writing out of the data

ARRAY /dev/md2 level=raid0 num-devices=2
   devices=/dev/sda4,/dev/sdb4

Turn off journals on ext4

tune2fs -o journal_data_writeback /dev/md2
tune2fs -O ^has_journal /dev/md2
change fstab to:

UUID=.. /data   ext4    defaults,data=writeback         0 0

Use -B option on Dumpcap to buffer the data

root      /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not
udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b
duration:900 -w /data/eth1.cap

These changes have increased the throughput but I still experience packet
loss - see attached IO Graph: packet-loss-io-graph.jpg

The Vendor solutions we have looked at will not decode UNISTIM signalling
properly which is requirement for this tool.

Any suggestions on how to better configure either the operating system or
wireshark to increase packet capture throughput will be greatly appreciated.

Thanks in advance for your assistance.

-John

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: