Click here for full text:
Full Packet Capture and Offline Analysis on 1 and 10 Gb/s Networks
Anderson, E.; Arlitt, M.
Keyword(s): full packet capture; 10 Gb/s network; driverdump
Abstract: This paper describes our experiences with implementing and using a network monitor built with commodity hardware and open source software to collect contiguous, multi-day, full packet traces from 1 and 10 Gb/s networks. The length of the traces is primarily limited by the capacity of the disks attached to the monitor, and the rate and size of packets on the network. On a 10 Gb/s enterprise network our monitor sustained packet capture rates of 160,000 pps (packets per second) and data capture rates of 0.7 Gb/s, and burst capture rates up to 550, 000 pps and 3.7 Gb/s respectively (with minimal packet loss). In testing we have achieved sustained capture rates of up to 676,000 pps and 1.4 Gb/s. We found that our technique (driverdump) can sustain capture rates between 1.86x (large packets) and 5.98x (small packets) higher than the traditional tcpdump program; compared to the linux-specific lindump program, we achieve rates 1.48x (large packets) and 2.25x (small packets) higher. We describe the current bottlenecks with our monitor and elaborate on how to address them. We also discuss our tools and techniques for efficiently analyzing the multiterabyte traces we collected. In particular, we rely on DataSeries, a highly efficient trace storage format.
Back to Index