IS there a way to capture from 2 active 10 GB interfaces? I have set up a Linux server with to 10 GB interface to monitor 2 10 GB circuits between our 2 data centers. Interfaces are unnumbered ( layer 2), 1 interface to each switches the circuits terminate on asked 29 Nov '11, 11:28  sjweinstein |
One Answer:
Depending on the data rate and the write performance of the Linux server it might work. You will have to have your disk array to write at the speed of something like 1,2 to 1,5GByte/s if your two 10G links are really full, and even more if you're trying to capture with a full duplex tap. answered 29 Nov '11, 12:05  Jasper ♦♦ |
I understand the need fro fast drive, etc, but how can i have 2 nics actively capturing, the GUI only allows starting a capture on one NIC at a time. I am not that literate with UNIX/LINUX so how would i configure a pseudo(?) interface taht would be just these two interfaces?
I converted your answer to a comment.
You could start two capture processes, either by starting two instances of Wireshark, or, even better, by capturing with two dumpcap processes at the same time.
If you want one capture to aggregate your two NICs you might try that with the "All Interfaces" Pseudo interface offered on UNIX/LINUX, and I heard the Wireshark Developer version 1.7 can do that on Windows, too, but I haven't tried it.
Or you merge your two traces from separate NICs with mergecap afterwards, but that might give some funny results.
Indeed in 1.7.0 you can capture from multiple interfaces at the same time.
All solutions based on standard NIC's will give you funny results, no matter how you capture and/or combine the packets. This is due to the interrupt handling. NIC's will queue the packets in their buffers and on each interrupt handling the OS will read the whole buffer. This can result in ACK's being seen before the packet was seen which it ACKs (if they arrive at different NICs).
The "all interfaces" pseudo-interface is only available on Linux; it's not available on other UN*Xes (their underlying capture mechanisms, unlike Linux's mechanism, must be bound to a particular interface).