[Winpcap-users] Can winpcap capture that fast?

Ian Hawley ian.hawley at synx.com
Tue Apr 29 16:26:26 GMT 2008


*** Before acting on this email you are advised to read the information at the end of this email. ***
--------------------------------------------------------------------------
In my experience of recording large volumes of network traffic it is
essential to hand off the packets to a secondary buffer in RAM and have
another thread consume the data and write it to disk.  I don't even have
any logging in my capture thread, as it is synchronous, and experience
has shown me, that writing one line of text to a log file can stall a
thread for several seconds, depending on what the OS is doing.

Our volume of data is typically < 8Mbytes/second however in
~8500packets, so at the volumes you are examining you are going to
struggle, especially to get that volume of data through the various bus
bottle-necks and to disk.  We use dedicated RAID cards with 512MB or
1024MB of cache.

Hope that helps
Ian

-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: 29 April 2008 17:00
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Can winpcap capture that fast?

You are probably losing packets because you are dumping to disk. Disks
are 
**slow**, they cannot ususally keep up dumping 400k packets per second.
I 
would try creating a simple application that simply counts the packets
and 
see if you keep losing packets.

If you need to dump to disk, I suggest you looking at the slides of this

presentation

http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and
%20Don'ts.zip

In particular the slide titled "dumping to disk" gives some hints on it.

Have a nice day
GV

----- Original Message ----- 
From: "Zafer SAVAS" <zsavas at aselsan.com.tr>
To: <winpcap-users at winpcap.org>
Sent: Tuesday, April 29, 2008 6:46 AM
Subject: [Winpcap-users] Can winpcap capture that fast?


> Hello,
>
> I have a question about the recording capability of the Winpcap
library:
> I want to monitor a gigabit ethernet link where a large amount of data
is 
> flowing (430.000 MAC Layer packets/second).
> When I observe my network connection status for incoming and outgoing 
> packets using the windows LAN connection on the system tray, I see
that 
> exactly 430.000 packets are received. However when I want to record
them 
> using my c program, I can only record 20.000 of them.
>
> So, do you think I am doing something wrong or is this the maximum
speed 
> of the library?
>
> P.S : I am already using the dump file utility of the library for fast

> recording.
>
> Best Regards
> Zafer
>
> ######################################################################
> Dikkat:
>
> Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
> gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
> Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
> guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
> gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
> gorusu olmak zorunda degildir.
>
> ######################################################################
> Attention:
>
> This e-mail message is privileged and confidential. If you are
> not the intended recipient please delete the message and notify
> the sender. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful business practices.
> Any views or opinions presented are solely those of the author and
> do not necessarily represent the views of the company.
>
> ######################################################################
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 

_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users

--------------------------------------------------------------------------
Please visit us at IFSEC 2008
Stand 17111, Hall 19
NEC Birmingham 12 - 15th May
Register now to attend at http://www.ifsec.co.uk/register
 
   3-4 Broadfield Close, Sheffield S8 0XN, United Kingdom
Telephone +44 (0) 114 255 2509
Facsimile +44 (0) 114 258 2050 
Web Address http://www.synx.com/
--------------------------------------------------------------------------
This email is confidential and may also be legally privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, please destroy it immediately without reading the contents of the e-mail or opening attachments. Any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please notify the sender by e-mail, telephone or fax. 
Replies to this e-mail may be monitored by Synectic Systems Group Limitedfor operational or business reasons, within the scope of the law.
Any opinions or information presented in this e-mail or any attachments that do not relate to the business of Synectic Systems Group Limited are solely those of the author and do not represent or are endorsed by Synectic Systems Group Limited. No contract may be construed by this e-mail or any attachments, unless specifically expressed therein.
Security Warning: Internet communications are not guaranteed to be secure or virus-free. Except to the extent Synectic Systems Group Limited may not exclude its liability under law Synectic Systems Group Limited does not accept responsibility for any loss whatsoever arising from unauthorised access to, or interference with, any communications over the internet by any third party, or from the transmission of any viruses. 
Synectic Systems Group Limited, trading as Synectics Security Networks. Registered in England & Wales, No. 05815524 . Registered Office; 3-4 Broadfield Close, Sheffield S8 0XN . VAT No. GB 417 0698 46
--------------------------------------------------------------------------




More information about the Winpcap-users mailing list