Possible solution for a homebrew rig -- http://www.ntop.org/products/pf_ring/ - base wirespeed NIC driver
http://www.ntop.org/products/n2disk/ - software offering that uses the above that you can install to your own (adequate) hardware Or their commercial offering -- http://www.ntop.org/products/nbox-2/nbox-recorder/ (comparable to the Riverbed offering, but somewhat cheaper) HTH, Will -----Original Message----- From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Charles Polisher Sent: Friday, March 28, 2014 10:50 AM To: Luke S. Crawford Cc: LOPSA Technical Discussions Subject: Re: [lopsa-tech] How do you detect microbursts? Luke S. Crawford wrote: > so, I've been having some problems with packet loss that I have reason > to believe have to do with "microbursts" of malicious traffic. > > What I want is a tool that will detect these 'microbursts' and give me > a very detailed report of the packets flowing during the (very > small... one second? half second? quarter-second?) period of > time when my pipe is overwhelmed. > > I'm thinking of setting up a perl script to just watch the output of > tcpdump; have that perl script save all the packets in a 100ms slice, > and to just dump all the packets for that 100ms to a log if the bytes > exceed my threshold, but before I do that, well, it seems to me like > there ought to be a standard way to deal with this problem. Riverbed makes a Cascade Shark appliance that captures packets at line rate on fast links. Homebrew, with a fast enough link you'd have a hard time getting anything such as pcap to capture many packets. Your chances might improve saving to a RAM disk, maybe set CPU affinity for the NIC Rx interrupts. On Linux it would likely need to be a newer (NAPI) NIC driver. Last week I ran tcpdump with the ring-buffer (-C) option in concert with an anomaly detection script that ran "pkill -HUP tcpdump" to catch a rare event. (But not a particularly high frame rate). -- Charles _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/