Re: Packet dumping or mirroring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 18 February 2004 8:54 pm, Michael Gale wrote:

> with traffic that is faster then 100MB HD.
>
> So anything 10MB FD and slower is ok, but anything over that limit ntop can

> Solution 1:
> First you create a "tmpfs" .. for example in your NTOP home directory call
> it tmp (/home/ntop/tmp). Now make this directory a RAM drive that gets
> mount everytime we boot up, about 50MB (maybe).

If your problem is not being able to keep up with >10Mbps FD or 100Mbps HD, 
then 50Mbytes is going to fill up pretty quickly...

1. If you capture full packets, assume network is running at 50Mbps on 
average; that's 6.25Mbytes per second - your ramdisk fills up in 8 seconds.

2. If you just capture headers, assume network is again running at 50Mbps, 
with 1500 byte packets one way and empty packets (headers only) the other, 
also assume headers are 48 bytes.   50Mbps / (1548 x 8) = 4038 packets / sec.   
4038 x 48 = 190kbytes / sec.   Your ramdisk now lasts for 258 seconds (or a 
bit more than 4 minutes).

Of course, if your network traffic is not running at 50Mbps then your ramdisk 
will last longer, but then ntop would have been able to keep up on its own 
anyway....

Regards,

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux