Wireshark-dev: Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode
Hi,
Wow, 36 monitor ports. All connected on one platform? Impressive.
I'm not sure what insight I can give you on the dropped packets statitics. What
I can do is advice you to capture with dumpcap i.s.o. tshark. The thing is
tshark spawns dumpcap to do the capture, but then does the dissection. From what
I've read so far you are only interested in the capture files. So leave the
dissection (most CPU intensive) out and let dumpcap (most IO intensive) do the
capturing. I'm sure you know your way around a command line so this should be no
problem.
Thanx,
Jaap
Filonenko Alexander-AAF013 wrote:
Jaap,
Thanks for looking into this.
When 36 ethernet ports can cause packet drops on the capture
interface then probably the monitor port will be dropping
packets too. How are you going to account for that?
There is no single monitor port. The 36 ports are the monitor ports with 36 instances of tshark (one port - one tshark) running in buffer ring mode.
Number of ports should not affect complexity of solution, I hope.
Let's consider scenario with one port and one tshark instance.
When tshark runs 24/7 and I am examining a buffer taken 15 minutes ago, how do I know if any packets were dropped while the buffer was captured?
Ideally would like a separate file stored for each ring buffer by
tshark with number of packets dropped. Using Perl with
Net::Pcap might
be able to help determine if packets were dropped in real-time (not
sure if this is going to work with tshark).
Any other approaches?
Thanks,
Alex
-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Thursday, October 09, 2008 1:43 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] dropped packets stats for
dumpcap/tshark ring buffer mode
Hi,
Thinking about this makes me wonder if this is sufficient.
When 36 ethernet ports can cause packet drops on the capture
interface then probably the monitor port will be dropping
packets too. How are you going to account for that?
Thanks,
Jaap
Filonenko Alexander-AAF013 wrote:
Using tshark ring buffer mode on a server capturing data
24/7 from 36
Ethernet ports. Users are taking ring buffers as needed via remote
access and some scripts which simplify access/merge/processing.
Traffic is bursty and I need to know if any packets were
dropped while
particular ring buffer file was captured. Obviously could
get summary
of how many packets were dropped when tshark is stopped, but it is
running 24/7 and should not stop.
Ideally would like a separate file stored for each ring buffer by
tshark with number of packets dropped. Using Perl with
Net::Pcap might
be able to help determine if packets were dropped in real-time (not
sure if this is going to work with tshark).
Any other approaches?
Thank you,
Alex Filonenko