<HTML><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText67005 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Hello Ian and Gianluca,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Thanks for the replies. Here is the summary for what I have done after your responses:</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>- I have built a win32 application with visual C++ and listened for the incoming packet. The code segment for listening is just a for while loop with pcap_next_ex() function and when a packet arrives a counter is incremented. Thats all, no displaying or saving to disk. As a result only 20K of the packets are captured. </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Again I am able to see that about 400.000 packets are received on the LAN status window in the system tray which means the NIC has captured them succesfully, but I can capture very small amount of it.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I am really suprised that only small amount of the packets are captured by the driver?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Do you have any other suggestions? or has some ever tried to capture large amount of packets/second (e.g : 60K packets/sec) using winpcap?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Best Regards</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Zafer SAVAS</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>Kimden:</B> Ian Hawley<BR><B>Gönderilmiş:</B> Sal 29.04.2008 19:26<BR><B>Kime:</B> winpcap-users@winpcap.org<BR><B>Konu:</B> RE: [Winpcap-users] Can winpcap capture that fast?<BR></FONT><BR></DIV>
<DIV><PRE style="WORD-WRAP: break-word">*** Before acting on this email you are advised to read the information at the end of this email. ***
--------------------------------------------------------------------------
In my experience of recording large volumes of network traffic it is
essential to hand off the packets to a secondary buffer in RAM and have
another thread consume the data and write it to disk. I don't even have
any logging in my capture thread, as it is synchronous, and experience
has shown me, that writing one line of text to a log file can stall a
thread for several seconds, depending on what the OS is doing.
Our volume of data is typically < 8Mbytes/second however in
~8500packets, so at the volumes you are examining you are going to
struggle, especially to get that volume of data through the various bus
bottle-necks and to disk. We use dedicated RAID cards with 512MB or
1024MB of cache.
Hope that helps
Ian
-----Original Message-----
From: winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] On Behalf Of Gianluca Varenni
Sent: 29 April 2008 17:00
To: winpcap-users@winpcap.org
Subject: Re: [Winpcap-users] Can winpcap capture that fast?
You are probably losing packets because you are dumping to disk. Disks
are
**slow**, they cannot ususally keep up dumping 400k packets per second.
I
would try creating a simple application that simply counts the packets
and
see if you keep losing packets.
If you need to dump to disk, I suggest you looking at the slides of this
presentation
http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and
%20Don'ts.zip
In particular the slide titled "dumping to disk" gives some hints on it.
Have a nice day
GV
----- Original Message -----
From: "Zafer SAVAS" <zsavas@aselsan.com.tr>
To: <winpcap-users@winpcap.org>
Sent: Tuesday, April 29, 2008 6:46 AM
Subject: [Winpcap-users] Can winpcap capture that fast?
> Hello,
>
> I have a question about the recording capability of the Winpcap
library:
> I want to monitor a gigabit ethernet link where a large amount of data
is
> flowing (430.000 MAC Layer packets/second).
> When I observe my network connection status for incoming and outgoing
> packets using the windows LAN connection on the system tray, I see
that
> exactly 430.000 packets are received. However when I want to record
them
> using my c program, I can only record 20.000 of them.
>
> So, do you think I am doing something wrong or is this the maximum
speed
> of the library?
>
> P.S : I am already using the dump file utility of the library for fast
> recording.
>
> Best Regards
> Zafer
>
> ######################################################################
> Dikkat:
>
> Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
> gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
> Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
> guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
> gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
> gorusu olmak zorunda degildir.
>
> ######################################################################
> Attention:
>
> This e-mail message is privileged and confidential. If you are
> not the intended recipient please delete the message and notify
> the sender. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful business practices.
> Any views or opinions presented are solely those of the author and
> do not necessarily represent the views of the company.
>
> ######################################################################
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users@winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
--------------------------------------------------------------------------
Please visit us at IFSEC 2008
Stand 17111, Hall 19
NEC Birmingham 12 - 15th May
Register now to attend at http://www.ifsec.co.uk/register
3-4 Broadfield Close, Sheffield S8 0XN, United Kingdom
Telephone +44 (0) 114 255 2509
Facsimile +44 (0) 114 258 2050
Web Address http://www.synx.com/
--------------------------------------------------------------------------
This email is confidential and may also be legally privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, please destroy it immediately without reading the contents of the e-mail or opening attachments. Any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please notify the sender by e-mail, telephone or fax.
Replies to this e-mail may be monitored by Synectic Systems Group Limitedfor operational or business reasons, within the scope of the law.
Any opinions or information presented in this e-mail or any attachments that do not relate to the business of Synectic Systems Group Limited are solely those of the author and do not represent or are endorsed by Synectic Systems Group Limited. No contract may be construed by this e-mail or any attachments, unless specifically expressed therein.
Security Warning: Internet communications are not guaranteed to be secure or virus-free. Except to the extent Synectic Systems Group Limited may not exclude its liability under law Synectic Systems Group Limited does not accept responsibility for any loss whatsoever arising from unauthorised access to, or interference with, any communications over the internet by any third party, or from the transmission of any viruses.
Synectic Systems Group Limited, trading as Synectics Security Networks. Registered in England & Wales, No. 05815524 . Registered Office; 3-4 Broadfield Close, Sheffield S8 0XN . VAT No. GB 417 0698 46
--------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
</PRE></DIV>
<P>
<HR>
<STRONG><FONT color=#ff0000>Dikkat:</FONT></STRONG></P>
<P>Bu elektronik posta mesaji kisisel ve ozeldir. Eger size gonderilmediyse
lutfen gondericiyi bilgilendirip mesaji siliniz. Firmamiza gelen
ve giden mesajlar virus taramasindan gecirilmekte, guvenlik nedeni ile
kontrol edilerek saklanmaktadir. Mesajdaki gorusler ve bakis acisi gondericiye
ait olup Aselsan A.S. resmi gorusu olmak zorunda degildir.</P><FONT
color=#ff0000><STRONG>
<HR>
</STRONG></FONT><STRONG><FONT color=#ff0000>Attention: </FONT></STRONG>
<P>This e-mail message is privileged and confidential. If you are not the
intended recipient please delete the message and notify the sender. E-mails to
and from the company are monitored for operational reasons and in accordance
with lawful business practices. Any views or opinions presented are solely those
of the author and do not necessarily represent the views of the company.</P>
<HR>
<P> </P>
</BODY></HTML>