Have you thought about using sflow or netflow on the switch to capture the aggregate stream data? it will capture the independent stream meta information and send it to a collector where you can get some very nice source/destination and stream size analysis.
Also, if you did want to use 10g with a native capture, I highly recommend the SolarFlare NIC cards. They would let you do interrupt coalescing and spreading across cores while minimizing the number of interrupts passed to the CPUs. very scalable. On Fri, Mar 28, 2014 at 10:50 AM, Charles Polisher <cpol...@surewest.net>wrote: > Luke S. Crawford wrote: > > so, I've been having some problems with packet loss that I have > > reason to believe have to do with "microbursts" of malicious > > traffic. > > > > What I want is a tool that will detect these 'microbursts' and give > > me a very detailed report of the packets flowing during the (very > > small... one second? half second? quarter-second?) period of > > time when my pipe is overwhelmed. > > > > I'm thinking of setting up a perl script to just watch the output of > > tcpdump; have that perl script save all the packets in a 100ms > > slice, and to just dump all the packets for that 100ms to a log if > > the bytes exceed my threshold, but before I do that, well, it seems > > to me like there ought to be a standard way to deal with this > > problem. > >
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
