Luke S. Crawford wrote: > so, I've been having some problems with packet loss that I have > reason to believe have to do with "microbursts" of malicious > traffic. > > What I want is a tool that will detect these 'microbursts' and give > me a very detailed report of the packets flowing during the (very > small... one second? half second? quarter-second?) period of > time when my pipe is overwhelmed. > > I'm thinking of setting up a perl script to just watch the output of > tcpdump; have that perl script save all the packets in a 100ms > slice, and to just dump all the packets for that 100ms to a log if > the bytes exceed my threshold, but before I do that, well, it seems > to me like there ought to be a standard way to deal with this > problem.
Riverbed makes a Cascade Shark appliance that captures packets at line rate on fast links. Homebrew, with a fast enough link you'd have a hard time getting anything such as pcap to capture many packets. Your chances might improve saving to a RAM disk, maybe set CPU affinity for the NIC Rx interrupts. On Linux it would likely need to be a newer (NAPI) NIC driver. Last week I ran tcpdump with the ring-buffer (-C) option in concert with an anomaly detection script that ran "pkill -HUP tcpdump" to catch a rare event. (But not a particularly high frame rate). -- Charles _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
