I have an network issue with some unbalanced traffic, i need to take packet captures from a 10GB interface in a mirror port, i have for This HP-G7 Server Intel Xeon Processor E5-2690 16RAM, when traffic exceeds 4GBps begins problem with capture, i get an overload (packet loss). i think this problem is hardware related, what hardware i need for capture such traffic volumes? can you give some advice?
Also check your CPU. Your capture may be running on 1 CPU core only and that will most likely not manage to capture 10Gb/s and also store it.
Having done some things with RSA Netwitness I recall that you may run into a issue with 1 thread doing the capture and the disk IO. And that will not get above roughly 4 Gb/s in my experience.
Disk IO may be your bottleneck.
Two things to do: Verify capture interface and limit capture load.
Verifying your capture interface can be done with a traffic load test application, e.g., iperf3, to see if the hardware is 10G capable.
Limit capture load can be done by using dumpcap directly for capture (rather than through Wireshark or Tshark), as well as by limiting the length of the frames captured to only the relevant packet headers.
When capturing packets with a computer I always worry about the traffic exceeding the computer hardware and/or software capabilities. I tried to find a computer with two NICs, 128G ram, and a large SSD. Common issues I found is insufficient memory, 60%-70% NIC card limitation, microbursts, and aggregate traffic (ingress+egress mirror ports) exceeds the NIC line speed. This is probably an overkill for your situation, The sniffers we use for 10G line speed captures have two 10G zero-loss ports, NDIS drivers, multiple SSD drives, and 128G ram. Expensive, but no packet loss. If it is a high priority, then try to lease a sniffer.
Comments