[Winpcap-users] Can winpcap capture that fast?
Voora, Srinivas
Srinivas.Voora at etalk.com
Wed Apr 30 12:49:17 GMT 2008
We have see happening with our application as well with the Wire shark. After hitting 20000 packet/sec it becomes kind of stagnant. There is a site recently we were able to handle 80000 packets/sec on gigabit port. I did not have a chance to see what the difference was.
-----Original Message-----
From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Zafer SAVAS
Sent: Wednesday, April 30, 2008 5:58 AM
To: winpcap-users at winpcap.org
Subject: YNT: [Winpcap-users] Can winpcap capture that fast?
Hello Ian and Gianluca,
Thanks for the replies. Here is the summary for what I have done after your responses:
- I have built a win32 application with visual C++ and listened for the incoming packet. The code segment for listening is just a for while loop with pcap_next_ex() function and when a packet arrives a counter is incremented. Thats all, no displaying or saving to disk. As a result only 20K of the packets are captured.
Again I am able to see that about 400.000 packets are received on the LAN status window in the system tray which means the NIC has captured them succesfully, but I can capture very small amount of it.
I am really suprised that only small amount of the packets are captured by the driver?
Do you have any other suggestions? or has some ever tried to capture large amount of packets/second (e.g : 60K packets/sec) using winpcap?
Best Regards
Zafer SAVAS
________________________________
Kimden: Ian Hawley
Gönderilmiş: Sal 29.04.2008 19:26
Kime: winpcap-users at winpcap.org
Konu: RE: [Winpcap-users] Can winpcap capture that fast?
*** Before acting on this email you are advised to read the information at the end of this email. ***
--------------------------------------------------------------------------
In my experience of recording large volumes of network traffic it is
essential to hand off the packets to a secondary buffer in RAM and have
another thread consume the data and write it to disk. I don't even have
any logging in my capture thread, as it is synchronous, and experience
has shown me, that writing one line of text to a log file can stall a
thread for several seconds, depending on what the OS is doing.
Our volume of data is typically < 8Mbytes/second however in
~8500packets, so at the volumes you are examining you are going to
struggle, especially to get that volume of data through the various bus
bottle-necks and to disk. We use dedicated RAID cards with 512MB or
1024MB of cache.
Hope that helps
Ian
-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: 29 April 2008 17:00
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Can winpcap capture that fast?
You are probably losing packets because you are dumping to disk. Disks
are
**slow**, they cannot ususally keep up dumping 400k packets per second.
I
would try creating a simple application that simply counts the packets
and
see if you keep losing packets.
If you need to dump to disk, I suggest you looking at the slides of this
presentation
http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and
%20Don'ts.zip
In particular the slide titled "dumping to disk" gives some hints on it.
Have a nice day
GV
----- Original Message -----
From: "Zafer SAVAS" <zsavas at aselsan.com.tr>
To: <winpcap-users at winpcap.org>
Sent: Tuesday, April 29, 2008 6:46 AM
Subject: [Winpcap-users] Can winpcap capture that fast?
> Hello,
>
> I have a question about the recording capability of the Winpcap
library:
> I want to monitor a gigabit ethernet link where a large amount of data
is
> flowing (430.000 MAC Layer packets/second).
> When I observe my network connection status for incoming and outgoing
> packets using the windows LAN connection on the system tray, I see
that
> exactly 430.000 packets are received. However when I want to record
them
> using my c program, I can only record 20.000 of them.
>
> So, do you think I am doing something wrong or is this the maximum
speed
> of the library?
>
> P.S : I am already using the dump file utility of the library for fast
> recording.
>
> Best Regards
> Zafer
>
> ######################################################################
> Dikkat:
>
> Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
> gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
> Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
> guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
> gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
> gorusu olmak zorunda degildir.
>
> ######################################################################
> Attention:
>
> This e-mail message is privileged and confidential. If you are
> not the intended recipient please delete the message and notify
> the sender. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful business practices.
> Any views or opinions presented are solely those of the author and
> do not necessarily represent the views of the company.
>
> ######################################################################
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
--------------------------------------------------------------------------
Please visit us at IFSEC 2008
Stand 17111, Hall 19
NEC Birmingham 12 - 15th May
Register now to attend at http://www.ifsec.co.uk/register
3-4 Broadfield Close, Sheffield S8 0XN, United Kingdom
Telephone +44 (0) 114 255 2509
Facsimile +44 (0) 114 258 2050
Web Address http://www.synx.com/
--------------------------------------------------------------------------
This email is confidential and may also be legally privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, please destroy it immediately without reading the contents of the e-mail or opening attachments. Any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please notify the sender by e-mail, telephone or fax.
Replies to this e-mail may be monitored by Synectic Systems Group Limitedfor operational or business reasons, within the scope of the law.
Any opinions or information presented in this e-mail or any attachments that do not relate to the business of Synectic Systems Group Limited are solely those of the author and do not represent or are endorsed by Synectic Systems Group Limited. No contract may be construed by this e-mail or any attachments, unless specifically expressed therein.
Security Warning: Internet communications are not guaranteed to be secure or virus-free. Except to the extent Synectic Systems Group Limited may not exclude its liability under law Synectic Systems Group Limited does not accept responsibility for any loss whatsoever arising from unauthorised access to, or interference with, any communications over the internet by any third party, or from the transmission of any viruses.
Synectic Systems Group Limited, trading as Synectics Security Networks. Registered in England & Wales, No. 05815524 . Registered Office; 3-4 Broadfield Close, Sheffield S8 0XN . VAT No. GB 417 0698 46
--------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
________________________________
Dikkat:
Bu elektronik posta mesaji kisisel ve ozeldir. Eger size gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz. Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte, guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi gorusu olmak zorunda degildir.
________________________________
Attention:
This e-mail message is privileged and confidential. If you are not the intended recipient please delete the message and notify the sender. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. Any views or opinions presented are solely those of the author and do not necessarily represent the views of the company.
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080430/2ae81143/attachment-0001.htm
More information about the Winpcap-users
mailing list