Possible solution for a homebrew rig --

http://www.ntop.org/products/pf_ring/ - base wirespeed NIC driver

http://www.ntop.org/products/n2disk/ - software offering that uses the above 
that you can install to your own (adequate) hardware

Or their commercial offering --

http://www.ntop.org/products/nbox-2/nbox-recorder/ (comparable to the Riverbed 
offering, but somewhat cheaper)


HTH,
Will


-----Original Message-----
From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On 
Behalf Of Charles Polisher
Sent: Friday, March 28, 2014 10:50 AM
To: Luke S. Crawford
Cc: LOPSA Technical Discussions
Subject: Re: [lopsa-tech] How do you detect microbursts?

Luke S. Crawford wrote:
> so, I've been having some problems with packet loss that I have reason 
> to believe have to do with "microbursts" of malicious traffic.
> 
> What I want is a tool that will detect these 'microbursts' and give me 
> a very detailed report of the packets flowing during the (very
> small... one second?  half second?  quarter-second?)   period of
> time when my pipe is overwhelmed.
> 
> I'm thinking of setting up a perl script to just watch the output of 
> tcpdump; have that perl script save all the packets in a 100ms slice, 
> and to just dump all the packets for that 100ms to a log if the bytes 
> exceed my threshold, but before I do that, well, it seems to me like 
> there ought to be a standard way to deal with this problem.

Riverbed makes a Cascade Shark appliance that captures packets at line rate on 
fast links.

Homebrew, with a fast enough link you'd have a hard time getting anything such 
as pcap to capture many packets. Your chances might improve saving to a RAM 
disk, maybe set CPU affinity for the NIC Rx interrupts. On Linux it would 
likely need to be a newer (NAPI) NIC driver. Last week I ran tcpdump with the 
ring-buffer (-C) option in concert with an anomaly detection script that ran 
"pkill -HUP tcpdump" to catch a rare event.
(But not a particularly high frame rate).

--
Charles

_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators  
http://lopsa.org/
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to