Wireshark-dev: Re: [Wireshark-dev] Packet Loss due to Disk Contention with Running Dumpcap in a
From: Evan Huus <eapache@xxxxxxxxx>
Date: Wed, 12 Dec 2012 14:42:43 -0500
Hi John,

If you don't need the entire payload of every packet (for example, if
the signalling you care about is always within the first n bytes of
the header of a packet), then you can use the -s option to write only
the first n bytes of each packet to disk.

Otherwise, you've listed all of the other things I was going to suggest.

Hope this helps,
Evan

On Wed, Dec 12, 2012 at 2:33 PM, John Powell <jrp999@xxxxxxxxx> wrote:
> Hi Everyone,
>
> I am using DUMPCAP to capture packets in a high packet rate environment.
>
> My operating system is: CENTOS 6.3
>
> I am experience this problem on source compiled versions:  wireshark-1.6.12
> and wireshark-1.8.4.
>
> In order to allow DUMPCAP to be run as a NON-ROOT user I am using the
> following:
>
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap -v
>
> The issue is that I am experiencing packet loss to apparent disk contention
> when writing the packets to the disk - see attached file:
> packet-loss-atop.txt
>
> To help alleviate the problem I have tried the following:
>
> Disabled SELINUX
> Disabled AUDIT
> RAID 0 (striped disks) to load share the writing out of the data
>
> ARRAY /dev/md2 level=raid0 num-devices=2
>    devices=/dev/sda4,/dev/sdb4
>
> Turn off journals on ext4
>
> tune2fs -o journal_data_writeback /dev/md2
> tune2fs -O ^has_journal /dev/md2
> change fstab to:
>
> UUID=.. /data   ext4    defaults,data=writeback         0 0
>
> Use -B option on Dumpcap to buffer the data
>
> root      /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not
> udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b
> duration:900 -w /data/eth1.cap
>
> These changes have increased the throughput but I still experience packet
> loss - see attached IO Graph: packet-loss-io-graph.jpg
>
> The Vendor solutions we have looked at will not decode UNISTIM signalling
> properly which is requirement for this tool.
>
> Any suggestions on how to better configure either the operating system or
> wireshark to increase packet capture throughput will be greatly appreciated.
>
> Thanks in advance for your assistance.
>
> -John
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe