Wireshark-users: Re: [Wireshark-users] Experiencing Packet Loss in High Volume Packet Capture App
John Powell wrote:
Hi Everyone,
I am running CentOS 6.3 on a HP 8200 using 3TB WD Green drives using a
EXT4 file system.
I am using Wireshark 1.8.2 compiled from source.
I am using DUMPCAP to rotate and store historical Packet Captures.
Whether I capture the packets with Wireshark or view the DUMPCAP created
file, I see dropouts in the packets being captured.
I tried to turning off journalling but this did not seem to help much:
umount /dev/mapper/VolGroup00-LogVol_Data
/sbin/tune2fs -o journal_data_writeback /dev/mapper/VolGroup00-LogVol_Data
/sbin/tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol_Data
/sbin/e2fsck -f /dev/mapper/VolGroup00-LogVol_Data
I have a attached a couple of IOGraphs from Wireshark showing the packet
drops.
(Note that Microsoft documents aren't the most portable way of
sharing... Many of us don't natively have a way to open them.
Fortunately, Google frequently can...)
The document indicates that your disks are 71% busy writing about 38
Mbytes/sec and that you're periodically getting periods where almost
*nothing* is captured and that those periods can be quite long (in one
case it looks like about 500 msec).
In my mind, you're crossing into the territory where a dedicated capture
device (which has been engineered for this kind of high-speed capture)
is needed. You may be able to make some progress but you'll be
reinventing a wheel that's already been solved (probably with much
effort) by several vendors.
