netsniff-ng did _much_ better as the RX ring buffer size increased.
Trafgen generated packets roughly at 70,000/sec and hit 150,000/sec
here and there.
I have old equipment. For each test the sniffer was sent an SIGINT
after 30 seconds.
To get stats with daemonlogger I had to apply this patch:
http://www.inetric.com/downloads/dlsp/daemonlogger-stats-1.2.1.patch.bz2
Used in each case to generate large packets
# trafgen --in nst_udp_pkt_1472.txf --out eth1
./daemonlogger -i eth2
[-] Interface set to eth2
[-] Log filename set to "daemonlogger.pcap"
[-] Pidfile configured to "daemonlogger.pid"
[-] Pidpath configured to "/var/run"
[-] Rollover size set to 18446744071562067968 bytes
[-] Rollover time configured for 0 seconds
[-] Pruning behavior set to oldest IN DIRECTORY
-*> DaemonLogger <*-
Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
sniffing on interface eth2
start_sniffing() device eth2 network lookup: eth2: no IPv4 address assigned
Logging packets to daemonlogger.pcap.1361852851
Quitting!
Received by filter: 2242808; Dropped by Kernel: 738578 (32.93%);
Dropped by Interface: 0;
# ring buffer mode ( -r )
# ./daemonlogger -r -i eth2
[-] Interface set to eth2
[-] Log filename set to "daemonlogger.pcap"
[-] Pidfile configured to "daemonlogger.pid"
[-] Pidpath configured to "/var/run"
[-] Ringbuffer active
[-] Rollover size set to 18446744071562067968 bytes
[-] Rollover time configured for 0 seconds
[-] Pruning behavior set to oldest IN DIRECTORY
-*> DaemonLogger <*-
Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
sniffing on interface eth2
start_sniffing() device eth2 network lookup: eth2: no IPv4 address assigned
Logging packets to daemonlogger.pcap.1361852754
Quitting!
Received by filter: 2264939; Dropped by Kernel: 778509 (34.37%);
Dropped by Interface: 0;
# netsniff-ng --in eth2 --out dump -s -V
RX: 238.41 MiB, 122064 Frames, each 2048 Byte allocated
Running! Hang up with ^C!
2273174 packets incoming
1651930 packets passed filter
621244 packets failed filter (out of space)
27.3294% packet droprate
45 sec, 379233 usec in total
# netsniff-ng --in eth2 --out dump --ring-size 500MiB -s -V
RX: 500.00 MiB, 256000 Frames, each 2048 Byte allocated
Running! Hang up with ^C!
2262449 packets incoming
1775626 packets passed filter
486823 packets failed filter (out of space)
21.5175% packet droprate
47 sec, 808032 usec in total
# netsniff-ng --in eth2 --out dump --ring-size 1GiB -s -V
RX: 1024.00 MiB, 524288 Frames, each 2048 Byte allocated
Running! Hang up with ^C!
2238213 packets incoming
1969897 packets passed filter
268316 packets failed filter (out of space)
11.9880% packet droprate
63 sec, 296087 usec in total
# netsniff-ng --in eth2 --out dump --ring-size 2GiB -s -V
RX: 2048.00 MiB, 1048576 Frames, each 2048 Byte allocated
Running! Hang up with ^C!
2184949 packets incoming
2184949 packets passed filter
0 packets failed filter (out of space)
0.0000% packet droprate
44 sec, 871286 usec in total
I'll do a future blog post with more detail (cpu, interrupts, disk I/O
etc.) comparing other tools too.
On Fri, Feb 22, 2013 at 4:44 PM, Jon Schipp <[email protected]> wrote:
> Configuring a new non-production server before I head home from work.
> Heading out of town for the weekend.
> Will be able to test sometime next weekend.
>
> On Fri, Feb 22, 2013 at 6:25 AM, <[email protected]> wrote:
>> On Wednesday, February 13, 2013 6:43:57 PM UTC+3:30, Daniel Borkmann wrote:
>>> On 02/12/2013 02:30 PM, Jon Schipp wrote:
>>>
>>> > I don't have any benchmarks between the two but I can recall from
>>>
>>> > personal experience that netsniff-ng was able to write all packets to
>>>
>>> > disk
>>>
>>> > when daemonlogger, under similar load, was dropping some of them.
>>>
>>> > Since benchmarks would be nice to have, I'll work on that soon.
>>>
>>>
>>>
>>> I'd also be curious on that, i.e. a comparison of those tools under 10Gbps.
>>
>> any update?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "netsniff-ng" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
