From owner-freebsd-net@FreeBSD.ORG Fri Mar 24 23:17:31 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A0E516A420 for ; Fri, 24 Mar 2006 23:17:31 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BFED43D45 for ; Fri, 24 Mar 2006 23:17:31 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 6A1825CEF; Fri, 24 Mar 2006 18:17:30 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15677-03; Fri, 24 Mar 2006 18:17:29 -0500 (EST) Received: from [199.103.21.238] (pan.codefab.com [199.103.21.238]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 327455C6D; Fri, 24 Mar 2006 18:17:29 -0500 (EST) In-Reply-To: <944074f30603241446i33f5eb26p187b2d7ff23d73de@mail.gmail.com> References: <944074f30603241446i33f5eb26p187b2d7ff23d73de@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v746.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Fri, 24 Mar 2006 18:17:28 -0500 To: Paul Haddad X-Mailer: Apple Mail (2.746.3) X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-net@freebsd.org Subject: Re: Non dropping packet monitor X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 23:17:31 -0000 On Mar 24, 2006, at 5:46 PM, Paul Haddad wrote: > I need to monitor packets flowing in/out of a freebsd 6.x box in a > tcpdump/pcap (monitor only) style but I can't have packets dropped as > tcpdump often does when its buffer fills up. > > I'm fine if the entire network connection slows down because of this, > the important thing is that I can get access to each and every packet > on a given interface. > > Any suggestions? Is there some pcap option that I need to look at? If your dumps will fit into a RAM disk, use that, otherwise you're presumably [1] going to be limited to how fast you can scribble the packets to your disks. Figure out the fastest you can do that, and then use dummynet to limit your network bandwidth to what your system is capable of capturing... -- -Chuck [1]: If you're capturing all of the packets, your PCAP expression shouldn't require much work to process, so you shouldn't be using a ton of CPU...