Ask Your Question
0

problem with capture 10g mirroring traffic

asked 2021-08-08 14:17:19 +0000

RaTi gravatar image

I have an network issue with some unbalanced traffic, i need to take packet captures from a 10GB interface in a mirror port, i have for This HP-G7 Server Intel Xeon Processor E5-2690 16RAM, when traffic exceeds 4GBps begins problem with capture, i get an overload (packet loss). i think this problem is hardware related, what hardware i need for capture such traffic volumes? can you give some advice?

edit retag flag offensive close merge delete
add a comment

4 Answers

Sort by ยป oldest newest most voted
0

answered 2021-08-09 07:07:38 +0000

Jaap gravatar image

Two things to do: Verify capture interface and limit capture load.

Verifying your capture interface can be done with a traffic load test application, e.g., iperf3, to see if the hardware is 10G capable.

Limit capture load can be done by using dumpcap directly for capture (rather than through Wireshark or Tshark), as well as by limiting the length of the frames captured to only the relevant packet headers.

edit flag offensive delete link more
add a comment
0

answered 2021-08-10 04:23:33 +0000

BigFatCat gravatar image

updated 2021-08-10 05:36:02 +0000

When capturing packets with a computer I always worry about the traffic exceeding the computer hardware and/or software capabilities. I tried to find a computer with two NICs, 128G ram, and a large SSD. Common issues I found is insufficient memory, 60%-70% NIC card limitation, microbursts, and aggregate traffic (ingress+egress mirror ports) exceeds the NIC line speed. This is probably an overkill for your situation, The sniffers we use for 10G line speed captures have two 10G zero-loss ports, NDIS drivers, multiple SSD drives, and 128G ram. Expensive, but no packet loss. If it is a high priority, then try to lease a sniffer.

edit flag offensive delete link more
add a comment
0

answered 2021-08-09 00:52:38 +0000

7ACE gravatar image

Check out this link : https://gitlab.com/wireshark/wireshark/-/wikis/Performance

or Technical advice - capturing on 100Gbe networks

edit flag offensive delete link more
add a comment
0

answered 2021-08-09 07:26:46 +0000

hugo.vanderkooij gravatar image

Also check your CPU. Your capture may be running on 1 CPU core only and that will most likely not manage to capture 10Gb/s and also store it.

Having done some things with RSA Netwitness I recall that you may run into a issue with 1 thread doing the capture and the disk IO. And that will not get above roughly 4 Gb/s in my experience.

Disk IO may be your bottleneck.

edit flag offensive delete link more

Comments

thanks everyone

RaTi gravatar imageRaTi ( 2021-08-09 16:42:07 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-08-08 14:17:19 +0000

Seen: 613 times

Last updated: Aug 10 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2