Wireshark-dev: Re: [Wireshark-dev] Packet Loss due to Disk Contention with Running Dumpcap in a
On Fri, Dec 14, 2012 at 5:10 AM, John Powell <jrp999@xxxxxxxxx> wrote:
> Hi Richard,
>
> Never thought about XFS - I will definitely look into that!!
>
> I think it should be rather trivial to create the XFS partitions in
> kickstart.
>
> Have you had any experience on how to split the Metadata to a separate drive
> (I do have a 300 G SSD at my disposal).
I haven't looked at it for a while, but it is the realtime partition
stuff, I believe. There is a flag for specifying that partition.
> Thanks for all your help!!
>
> -John
>
> On Thu, Dec 13, 2012 at 11:05 AM, Richard Sharpe
> <realrichardsharpe@xxxxxxxxx> wrote:
>>
>> On Thu, Dec 13, 2012 at 8:59 AM, John Powell <jrp999@xxxxxxxxx> wrote:
>> > Hi Ronnie,
>> >
>> > I am capturing a 250 MB file every few seconds. My ATOP reports:
>> >
>> > MDD | md2 | busy 0% | read 1 | write 15442 | KiB/r
>> > 4 | KiB/w 4 | MBr/s 0.00 | MBw/s 60.32 | avq 0.00 | avio
>> > 0.00
>> > ms |
>> > DSK | sda | busy 107% | read 1 | write 205 | KiB/r
>> > 4 | KiB/w 506 | MBr/s 0.00 | MBw/s 101.33 | avq 93.88 | avio
>> > 4.51
>> > ms |
>> > DSK | sdb | busy 92% | read 0 | write 191 | KiB/r
>> > 0 | KiB/w 511 | MBr/s 0.00 | MBw/s 95.50 | avq 86.84 | avio
>> > 4.20
>> > ms |
>> >
>> > I need the resulting files to be searchable by TSHARK and be able to
>> > create
>> > a PCAP extraction based on the search.
>> >
>> > The dumpcap command being used is:
>> >
>> > usr/local/bin/dumpcap -B 16 -i 4 -f vlan and (not vrrp and not udp port
>> > 1985
>> > and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b
>> > duration:900
>> > -w /data/eth2.cap
>> >
>> > I am looking at using a SSD for my OS and my Capture volume which may
>> > help
>> > out with the Disk IO issue but eliminating the copy from the /TMP would
>> > definitely be an asset.
>>
>> That sounds like about 100MB/s.
>>
>> If you can use a file system like XFS that can separate metadata from
>> data, and put your metadata on SSD, then you might find that a small
>> array of spinning disks is enough for you.
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂?唯有杜康。--曹操)
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives: http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>
>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)