Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Mar 2006 18:17:28 -0500
From:      Charles Swiger <cswiger@mac.com>
To:        Paul Haddad <paul.haddad@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Non dropping packet monitor
Message-ID:  <A636D985-E160-46D1-B6EA-4C868B7A88AF@mac.com>
In-Reply-To: <944074f30603241446i33f5eb26p187b2d7ff23d73de@mail.gmail.com>
References:  <944074f30603241446i33f5eb26p187b2d7ff23d73de@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 24, 2006, at 5:46 PM, Paul Haddad wrote:
> I need to monitor packets flowing in/out of a freebsd 6.x box in a
> tcpdump/pcap (monitor only) style but I can't have packets dropped as
> tcpdump often does when its buffer fills up.
>
> I'm fine if the entire network connection slows down because of this,
> the important thing is that I can get access to each and every packet
> on a given interface.
>
> Any suggestions?  Is there some pcap option that I need to look at?

If your dumps will fit into a RAM disk, use that, otherwise you're  
presumably [1] going to be limited to how fast you can scribble the  
packets to your disks.  Figure out the fastest you can do that, and  
then use dummynet to limit your network bandwidth to what your system  
is capable of capturing...

-- 
-Chuck

[1]: If you're capturing all of the packets, your PCAP expression  
shouldn't require much work to process, so you shouldn't be using a  
ton of CPU...



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A636D985-E160-46D1-B6EA-4C868B7A88AF>