Re: low overhead packet capturing on linux

[Pekka Pietikainen]

On Tue, Nov 30, 2010 at 05:28:05PM -0700, Thomas Fjellstrom wrote:
> I'm working on a little tool to monitor and measure bandwidth use on a vm 
> host, down to keeping track of all guest and host bandwidth, including, 
> eventually per layer7 protocol use.
> 
> Right now I have a pretty simple setup, I setup an AF_PACKET socket, select on 
> it, and read data as it comes in. Obviously, this has a fatal flaw. It takes up 
> a rather large amount of cpu time just to capture the packets. On a GbE 
> interface, it uses up easily 60-80% cpu (on a 2.6Ghz amd phenom II cpu core) 
> just to capture the packets, trying to do anything fancy with them will likely 
> cause the kernel to drop some packets.
> 
> So what I'm looking for is a very low overhead way to capture packets. I've 
> come up with a few ideas, some of which I have no idea if they'd even work.
Have you checked out

http://public.lanl.gov/cpw/ (IIRC it's actually a part of recent libpcap,
but could be wrong) and http://www.ntop.org/PF_RING.html ?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/