Hey,
Yes in high load it can cause some troubles.
The solution I could think about was a dedicated machine that would
receive all traffic from the replication(HUB-like) port while the
machine Ethernet is on promiscuous mode which will then capture all
traffic from the network.
I do not know exactly how much resources it would take when there is an
option for let say "pin" tcpdump to one or two cores while letting all
the others handle the rest of the traffic.
For a very high load I would need a big buffer or maybe a frame-buffer
card that will help to reduce the load on the kernel while allowing less
packet drops.
Eliezer
On 25/11/13 16:23, Prashant Batra (prbatra) wrote:
Hi,
To add to tcpdump application eating out resources, it would degrade the
performance of send/receive path in the kernel. Each packet going out from the
kernel and received in would be cloned and then given to tcpdump application.
At very high load this would be significant.
Regards,
Prashant
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers