Wireshark: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Wireshark mailing list archives

Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment

From: John Powell <jrp999 () gmail com>
Date: Wed, 12 Dec 2012 13:33:22 -0600

Hi Everyone,

I am using DUMPCAP to capture packets in a high packet rate environment.

My operating system is: CENTOS 6.3

I am experience this problem on source compiled versions:  wireshark-1.6.12
and wireshark-1.8.4.

In order to allow DUMPCAP to be run as a NON-ROOT user I am using the
following:

   - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap -v

The issue is that I am experiencing packet loss to apparent disk contention
when writing the packets to the disk - see attached file:
packet-loss-atop.txt

To help alleviate the problem I have tried the following:

   - Disabled SELINUX
   - Disabled AUDIT
   - RAID 0 (striped disks) to load share the writing out of the data
      - ARRAY /dev/md2 level=raid0 num-devices=2
         devices=/dev/sda4,/dev/sdb4
   - Turn off journals on ext4
      - tune2fs -o journal_data_writeback /dev/md2
      - tune2fs -O ^has_journal /dev/md2
      - change fstab to:
         - UUID=.. /data   ext4    defaults,data=writeback         0 0
      - Use -B option on Dumpcap to buffer the data
      - root      /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp
      and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g -b
      filesize:250000 -b duration:900 -w /data/eth1.cap

These changes have increased the throughput but I still experience packet
loss - see attached IO Graph: packet-loss-io-graph.jpg

The Vendor solutions we have looked at will not decode UNISTIM signalling
properly which is requirement for this tool.

Any suggestions on how to better configure either the operating system or
wireshark to increase packet capture throughput will be greatly appreciated.

Thanks in advance for your assistance.

-John

Attachment: packet-loss-atop.txt
Description:

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

By Date By Thread

Current thread:

Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 12)
- Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Evan Huus (Dec 12)
  - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 13)
- Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment ronnie sahlberg (Dec 12)
  - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Richard Sharpe (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 14)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Richard Sharpe (Dec 14)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Guy Harris (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment Jeff Morriss (Dec 13)
    - Re: Packet Loss due to Disk Contention with Running Dumpcap in a high packet rate environment John Powell (Dec 14)