[Winpcap-users] Can winpcap capture that fast?
Tom Gibson
tom.gibson at ipvidnet.com
Wed Apr 30 23:55:35 GMT 2008
I was pleasantly surprised how fast it is. I had good results using the cmd
line tool that comes in wireshark's program folder (dumpcap I think it was).
I was able to capture 900mbp/s to a file over a long period of time. I just
set my buffer high and it worked. When capturing a lot (100's of gigs) I
found I needed to record to multiple files otherwise it would start dropping
packets. This was on a Quadcore system (I'm guessing a dual core would have
worked about the same) with a 4 drive raid0 array. Note though, this was
network data where almost all of the packets were ~1500 bytes. Also the NIC
/ driver you use could make a real difference at high speeds. Intel looks
like they have a good driver, but I haven't done testing with other NICs to
compare.
Tom
_____
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: Wednesday, April 30, 2008 3:02 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Can winpcap capture that fast?
It all depends on what you are doing in your application. Forget about using
wireshark for high performance capture. It's *not* the right tool. In case
of high speed networks, the solutions are usually
- having your custom application that analyzes the packets -or-
- dumping packets to disk using HW RAID in striping mode.
Hope it helps
GV
----- Original Message -----
From: Voora, <mailto:Srinivas.Voora at etalk.com> Srinivas
To: winpcap-users at winpcap.org
Sent: Wednesday, April 30, 2008 5:49 AM
Subject: RE: [Winpcap-users] Can winpcap capture that fast?
We have see happening with our application as well with the Wire shark.
After hitting 20000 packet/sec it becomes kind of stagnant. There is a site
recently we were able to handle 80000 packets/sec on gigabit port. I did not
have a chance to see what the difference was.
-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Zafer SAVAS
Sent: Wednesday, April 30, 2008 5:58 AM
To: winpcap-users at winpcap.org
Subject: YNT: [Winpcap-users] Can winpcap capture that fast?
Hello Ian and Gianluca,
Thanks for the replies. Here is the summary for what I have done after your
responses:
- I have built a win32 application with visual C++ and listened for the
incoming packet. The code segment for listening is just a for while loop
with pcap_next_ex() function and when a packet arrives a counter is
incremented. Thats all, no displaying or saving to disk. As a result only
20K of the packets are captured.
Again I am able to see that about 400.000 packets are received on the LAN
status window in the system tray which means the NIC has captured them
succesfully, but I can capture very small amount of it.
I am really suprised that only small amount of the packets are captured by
the driver?
Do you have any other suggestions? or has some ever tried to capture large
amount of packets/second (e.g : 60K packets/sec) using winpcap?
Best Regards
Zafer SAVAS
_____
Kimden: Ian Hawley
Gönderilmiş: Sal 29.04.2008 19:26
Kime: winpcap-users at winpcap.org
Konu: RE: [Winpcap-users] Can winpcap capture that fast?
*** Before acting on this email you are advised to read the information at
the end of this email. ***
--------------------------------------------------------------------------
In my experience of recording large volumes of network traffic it is
essential to hand off the packets to a secondary buffer in RAM and have
another thread consume the data and write it to disk. I don't even have
any logging in my capture thread, as it is synchronous, and experience
has shown me, that writing one line of text to a log file can stall a
thread for several seconds, depending on what the OS is doing.
Our volume of data is typically < 8Mbytes/second however in
~8500packets, so at the volumes you are examining you are going to
struggle, especially to get that volume of data through the various bus
bottle-necks and to disk. We use dedicated RAID cards with 512MB or
1024MB of cache.
Hope that helps
Ian
-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: 29 April 2008 17:00
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Can winpcap capture that fast?
You are probably losing packets because you are dumping to disk. Disks
are
**slow**, they cannot ususally keep up dumping 400k packets per second.
I
would try creating a simple application that simply counts the packets
and
see if you keep losing packets.
If you need to dump to disk, I suggest you looking at the slides of this
presentation
http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and
%20Don'ts.zip
In particular the slide titled "dumping to disk" gives some hints on it.
Have a nice day
GV
----- Original Message -----
From: "Zafer SAVAS" <zsavas at aselsan.com.tr>
To: <winpcap-users at winpcap.org>
Sent: Tuesday, April 29, 2008 6:46 AM
Subject: [Winpcap-users] Can winpcap capture that fast?
> Hello,
>
> I have a question about the recording capability of the Winpcap
library:
> I want to monitor a gigabit ethernet link where a large amount of data
is
> flowing (430.000 MAC Layer packets/second).
> When I observe my network connection status for incoming and outgoing
> packets using the windows LAN connection on the system tray, I see
that
> exactly 430.000 packets are received. However when I want to record
them
> using my c program, I can only record 20.000 of them.
>
> So, do you think I am doing something wrong or is this the maximum
speed
> of the library?
>
> P.S : I am already using the dump file utility of the library for fast
> recording.
>
> Best Regards
> Zafer
>
> ######################################################################
> Dikkat:
>
> Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
> gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
> Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
> guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
> gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
> gorusu olmak zorunda degildir.
>
> ######################################################################
> Attention:
>
> This e-mail message is privileged and confidential. If you are
> not the intended recipient please delete the message and notify
> the sender. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful business practices.
> Any views or opinions presented are solely those of the author and
> do not necessarily represent the views of the company.
>
> ######################################################################
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
--------------------------------------------------------------------------
Please visit us at IFSEC 2008
Stand 17111, Hall 19
NEC Birmingham 12 - 15th May
Register now to attend at http://www.ifsec.co.uk/register
3-4 Broadfield Close, Sheffield S8 0XN, United Kingdom
Telephone +44 (0) 114 255 2509
Facsimile +44 (0) 114 258 2050
Web Address http://www.synx.com/
--------------------------------------------------------------------------
This email is confidential and may also be legally privileged or exempt from
disclosure under applicable law. It is intended solely for the use of the
individual to whom it is addressed. If you are not the intended recipient,
please destroy it immediately without reading the contents of the e-mail or
opening attachments. Any use, dissemination, forwarding, printing or copying
of this e-mail is strictly prohibited. If you have received this e-mail in
error please notify the sender by e-mail, telephone or fax.
Replies to this e-mail may be monitored by Synectic Systems Group Limitedfor
operational or business reasons, within the scope of the law.
Any opinions or information presented in this e-mail or any attachments that
do not relate to the business of Synectic Systems Group Limited are solely
those of the author and do not represent or are endorsed by Synectic Systems
Group Limited. No contract may be construed by this e-mail or any
attachments, unless specifically expressed therein.
Security Warning: Internet communications are not guaranteed to be secure or
virus-free. Except to the extent Synectic Systems Group Limited may not
exclude its liability under law Synectic Systems Group Limited does not
accept responsibility for any loss whatsoever arising from unauthorised
access to, or interference with, any communications over the internet by any
third party, or from the transmission of any viruses.
Synectic Systems Group Limited, trading as Synectics Security Networks.
Registered in England & Wales, No. 05815524 . Registered Office; 3-4
Broadfield Close, Sheffield S8 0XN . VAT No. GB 417 0698 46
--------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
_____
Dikkat:
Bu elektronik posta mesaji kisisel ve ozeldir. Eger size gonderilmediyse
lutfen gondericiyi bilgilendirip mesaji siliniz. Firmamiza gelen ve giden
mesajlar virus taramasindan gecirilmekte, guvenlik nedeni ile kontrol
edilerek saklanmaktadir. Mesajdaki gorusler ve bakis acisi gondericiye ait
olup Aselsan A.S. resmi gorusu olmak zorunda degildir.
_____
Attention:
This e-mail message is privileged and confidential. If you are not the
intended recipient please delete the message and notify the sender. E-mails
to and from the company are monitored for operational reasons and in
accordance with lawful business practices. Any views or opinions presented
are solely those of the author and do not necessarily represent the views of
the company.
_____
_____
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080430/400bcbb9/attachment-0001.html
More information about the Winpcap-users
mailing list