Hi, I'm currently working on testing Linux network performance. I have two Linux machines in our test setup. Machine1 is the attacker machine from which we are sending SYN packets to Machine2 at a rate of 3million pps. I'm able to receive these packets on Machine2's external interface and forward them through the internal interface without dropping any packets. So far no problems. However, when I start another app that captures traffic on Machine2's external interface using libpcap, the amount of traffic that is forwarded drops significantly. Obviously, this second libpcap app becomes a bottleneck. It can capture only about 800Kpps of traffic and only about 800Kpps can be forwarded in this case. Since I hit this bottleneck I performed the same test using pf_ring aware libpcap using pfcount. The amount of traffic that we captured was better now (~ 1.2 Mpps) but still the forwarded traffic was limited by the capturing application. Only about ~1.2 Mpps is forwarded. Roughly the same amount as captured. I used transparent_mode=1. I don't use DNA since I don't want to bypass kernel. What I don't understand is why is the capturing performance limiting the forwarding performance? If I set a filter on libpcap and capture just a small amount (say 100Kpps) of the incoming traffic, then the forwarding performance is not affected? Any ideas to overcome this problem? Are there any pf_ring related solutions? Both machines are running Linux kernel 3.15. Thanks in advance.Giray
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
