Re: [Ethereal-users] How does capture to file work?

[Markus Schaber <markus.schaber@xxxxxxxxxxxxxxxxxx>]

Hi,

Johannes Faerber wrote:

> If someone on this list had similar ideas I would be thankful to hear
> his experience/advice before we start work. Also I would welcome
> comments on the performance of ethereal during capturing (i.e. is
> our approach unnecessary because ethereal will definitely not loose
> any packets at all?)

A hint to this question could be the CPU usage. If you constantly have
100% during capture, I think you have a rather high risk - but if your
CPU monitor shows you the "idle-process" as main CPU consumer, nothing
should be lost, as long as the media you save the data is fast enough.

Another point is the bus bandwidth. If you have a Gigabit Ethernet with
high load (which delivers approx. 100 MB raw data per second), and write
the capture file to a harddisk (which gives another stream of 100
MB/sec), you need at least 200 MB/sec raw bandwidth. However, with
normal PC mainboards, the PCI bus is the bottleneck here (theoretically
max. 133 MB/sec). So a soon as your RAM gets filled up, you definitely
loose packets. Additionally, usual harddisks can't store data in such a
high rate.

Of course, this is different if you have a server board with a crossbar
cwitch and multiple independant PCI-buses (those often also have 266 or
533 MB/sec/Bus, as they use double bandwidth and / or double clock
frequency), and a RAID array which can write 100 MB/sec. 

I used ethereal to sniff on 10 MBit ethernet for just a while now, using
200Mhz-class PCs, and I didn't experience any high loads, as I didn't
realize any missed packets.

markus

-- 
Markus Schaber -- http://www.schabi.de/ -- ICQ: 22042130
+-------------------------------------------------------------+
| Allgemeine Sig-Verletzung 0815/4711  <nicht OK> <Erbrechen> |
+-------------------------------------------------------------+