From owner-freebsd-net@FreeBSD.ORG Wed Dec 5 09:25:38 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9272116A420 for ; Wed, 5 Dec 2007 09:25:38 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.185]) by mx1.freebsd.org (Postfix) with ESMTP id 22E1F13C46B for ; Wed, 5 Dec 2007 09:25:37 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: by mu-out-0910.google.com with SMTP id i10so568220mue for ; Wed, 05 Dec 2007 01:25:37 -0800 (PST) Received: by 10.82.146.14 with SMTP id t14mr4563288bud.1196845235139; Wed, 05 Dec 2007 01:00:35 -0800 (PST) Received: by 10.82.148.1 with HTTP; Wed, 5 Dec 2007 01:00:35 -0800 (PST) Message-ID: Date: Wed, 5 Dec 2007 11:00:35 +0200 From: "Vlad GALU" To: "Robert Watson" In-Reply-To: <20071205021851.V87930@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4755EFDD.8070609@isc.org> <20071205021851.V87930@fledge.watson.org> Cc: freebsd-net@freebsd.org, Peter Losher Subject: Re: Aggregating many ports into one for tcpdump server. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2007 09:25:38 -0000 On 12/5/07, Robert Watson wrote: > > On Tue, 4 Dec 2007, Peter Losher wrote: > > > I am currently working on a tcpdump collector where we have multiple feeds > > coming in (via bge{0-8}). Since tcpdump can only poll one interface per > > process, I was hoping to aggregate the traffic onto one pseudo-interface for > > tcpdump to hold onto and to poll. > > > > Looking thru the archives, it seems ng_one2many (in this case 'many2one') is > > what I am looking for. Am I barking the right tree here? > > Depending on the configuration of the system (number of interfaces, number of > CPUs, etc), you may find that running many tcpdump sessions results on greater > throughput due to making better use of parallelism. For example, if you have > eight cores and four interfaces, then you can end up running with one ithread > and one tcpdump session, each on their own CPU, per interface. Of course, if > you have many more interfaces than CPUs/pairs, then you just end up with much > more context-switching, which will hurt performance. BTW, if you find you're > getting packet loss in BPF processing at high rates, we should have you try > the zero-copy BPF patches. Finally, another configuration you might consider > is a single 10gbps card configured as a vlan trunk attached to a switch > serving the various vlans to various switch ports. I'm not sure if that will > be faster or lower, but it would be different. :-) I would like to try the aforementioned patches too. Can you please point me to a link? > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Mahnahmahnah!