libpcap捕获10 Gbps网卡 [英] libpcap to capture 10 Gbps NIC

问题描述

我想要从10Gbps网卡捕获数据包，但丢包率为0。
我使用lipcap为100Mbps网卡，它是工作正常。
libpcap能够处理10Gbps的NIC流量吗？

I want to capture packets from 10Gbps network card with 0 packet loss. I am using lipcap for 100Mbps NIC and it is working fine. Will libpcap be able to handle 10Gbps NIC traffic? If not what are the other alternative ways to achive this?

推荐答案

libpcap是否会处理10Gbps带0丢包是一个问题，你正在使用的机器和libpcap版本。如果机器，CPU和HDD I / O足够快，您可能会得到0包丢失。否则，您可能需要执行以下操作：

Whether or not libpcap will handle 10Gbps with 0 packet loss is a matter of the machine that you are using and libpcap version. If the machine, CPU and HDD I/O are fast enough, you may get 0 packet loss. Otherwise you may need to perform the following actions:

• 将libpcap更新到最新版本。 Libpcap 1.0.0或更高版本，支持零拷贝（内存映射）机制。这意味着在内核地址空间和应用程序的地址空间中都有一个缓冲区，这样数据不需要从内核模式缓冲区复制到用户模式缓冲区。数据包仍然从skbuff（Linux）复制到共享缓冲区，所以它更像是一个副本，但是仍然少一个副本，这样可以减少接收捕获的数据包所需的CPU时间。此外，每个应用唤醒呼叫可以从缓冲器获取更多的分组。

• Update your libpcap to the most recent version. Libpcap 1.0.0 or later, supposts zero-copy (memory-mapped) mechanism. It means that there is a buffer that's in both the kernel's address space and the application's address space, so that data doesn't need to be copied from a kernel-mode buffer to a user-mode buffer. Packets are still copied from the skbuff (Linux) into the shared buffer, so it's really more like "one-copy", but that's still one fewer copy, so that could reduce the CPU time required to receive captured packets. Moreover more packets can be fetched from the buffer per application wake up call.

如果您发现CPU使用率过高，可能是您的CPU无法处理数据包到达率。您可以使用xosview（系统负载可视化工具）在捕获期间检查系统资源。

If you observe a high CPU utilization, it is probably your CPU that cannot handle the packet arrival rate. You can use xosview (a system load visualization tool) to check your system resources during the capture.

如果CPU丢弃数据包，则可以使用PF_RING。 PF_RING是libpcap的带有循环缓冲区的扩展程序： http://www.ntop.org/products/pf_ring/ 。它的方式更快，可以使用商用NIC捕获10Gbps的 http://www.ntop.org/products / pf_ring / hardware-packet-filtering / 。

If the CPU drops packets, you can use PF_RING. PF_RING is an extension of libpcap with a circular buffer: http://www.ntop.org/products/pf_ring/. It is way faster and can capture with 10Gbps with commodity NICs http://www.ntop.org/products/pf_ring/hardware-packet-filtering/.

另一种方法是获取具有板载内存和特定硬件用于数据包捕获的设计，请参见 http://en.wikipedia.org/wiki/DAG_Technology 。

Another approach is to get a NIC that has an on-board memory and a specific HW design for packet capturing, see http://en.wikipedia.org/wiki/DAG_Technology.

如果CPU不再是您的问题，您需要测试磁盘数据传输速度。 hdparm是Linux上最简单的工具。一些发行版带有GUI，否则：
$ sudo hdparm -tT / dev / hda

If the CPU is not any more your problem, you need to test disk data transfer speed. hdparm is the simplest tool on Linux. Some distros come with a GUI, otherwise: $ sudo hdparm -tT /dev/hda

如果您正在开发基于libpcap的应用程序：

If you are developing your own application based on libpcap:

• 使用pcap_stats以识别（a）丢弃的分组数，因为当它们到达时操作系统的缓冲器中没有空间，因为分组没有被足够快地读取;

• Use pcap_stats to identify (a) the number of packets dropped because there was no room in the operating system's buffer when they arrived, because packets weren't being read fast enough; (b) number of packets dropped by the network interface or its driver.

Libpcap 1.0.0有一个API，它允许应用程序设置缓冲区大小，可以设置缓冲区大小的平台。
b）如果您发现很难设置缓冲区，可以使用Libpcap 1.1.0或更高版本，其中默认捕获缓冲区大小已从32K增加到512K。
c）如果你只是使用tcpdump，使用4.0.0或更高版本，并使用-B标志的缓冲区大小

Libpcap 1.0.0 has an API that lets an application set the buffer size, on platforms where the buffer size can be set. b) If you find it hard to set the buffer, you can use Libpcap 1.1.0 or later in which the default capture buffer size has been increased from 32K to 512K. c) If you are just using tcpdump, use 4.0.0 or later and use the -B flag for the size of the buffer

这篇关于libpcap捕获10 Gbps网卡的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！