Hi Lee zc is a kernel-bypass technology, in essence the application runs a userspace driver controlling the network interface, that’s why you can use only one instance of tcpdump, in order to receive the same traffic from multiple tcpdump instances you should use zbalance_ipc (https://github.com/ntop/PF_RING/tree/dev/userland/examples_zc <https://github.com/ntop/PF_RING/tree/dev/userland/examples_zc>) which is a sample application capturing traffic and distributing it to multiple consumers using software queues. You can use fanout distribution (sending all traffic to all consumers, then filtering on the consumers, but I guess you will have the same performance issues), or any other distribution function (you can write your own distribution function).
Alfredo > On 13 Feb 2017, at 20:31, Lee Tessier <[email protected]> wrote: > > Hello, > > I am trying to improve a current monitoring situation where we use dumppcap > with wireshark to capture specific traffic. We have anywhere from 20 – 50 > copies of wireshark running with filters for different traffic. The problem > is that past 50 traces running, the system starts dropping packets. > > I am testing PF_RING ZC with tcpdump to see how it can improve the capturing > but it seems I can only use one instance when specifying the interface > “zc:eth1”. Is it possible to have multiple tcpdumps running with filters or > is there a better way to accomplish this? > > Regards, > > Lee > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
