BPF tweak; negative impact?

Carter Bullard carter at qosient.com
Thu Feb 22 08:47:43 EST 2001 

It would be very easy to test if there are drops.
Use multiple images of tcpdump to capture multiple
files of the same set of packets, and compare that
against a running argus.  Don't worry about getting
them started or stopped at the exact same time
just get them all started over a period of 10-20 seconds.

Do it for 10 minutes or so.  Lets say you start at 14:01
and you end around 14:10.  Because your getting so many
packets per second, we'll need to sample your files
when we know that all the tcpdumps are running.
Run about 3 of them, and run one argus into a file with
these options:

   argus -w argus.file -M 10 -RS 10

Then, after the test period is over, run argus
against the individual tcpdump files and pipe the
output to racount like this:

   argus -r file1 -w - -RS 10 | racount -t 14:03-14:07 
   argus -r file2 -w - -RS 10 | racount -t 14:03-14:07
   argus -r file3 -w - -RS 10 | racount -t 14:03-14:07

and compare that with

   racount -r argus.file -t 14:03-14:07

Check that argus was reporting packet loss or not using:

   ra -r argus.file -t 14:03-14:07 man

This should tell you if you have packet drops, and if
argus was reporting them appropriately.  It is highly
unlikely that all the processes would lose the same
number of packets, so any variation in numbers is
indicative of loss.

Something like this should do the trick.

Carter


Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134

> -----Original Message-----
> From: Scott A. McIntyre [mailto:scott at xs4all.nl]
> Sent: Thursday, February 22, 2001 8:25 AM
> To: Carter Bullard
> Subject: Re: BPF tweak; negative impact?
> 
> 
> >    processor, 600-800Mhz PIII.  We're not losing any packets
> >    at all, but then again we don't have anything but argus
> >    running.
> > 
> >       How does it do with only argus?
> 
> Hi Carter,
> 
> A fair point.
> 
> Better:
> 
> 22 Feb 01 14:16:33    man  pkts    646637  bytes    243031797 
>  drops 258  flows    121303    closed       22241       CON
> 22 Feb 01 14:17:33    man  pkts    668477  bytes    256723535 
>  drops 849  flows    122804    closed       21628       CON
> 22 Feb 01 14:18:33    man  pkts    660156  bytes    238606035 
>  drops 4932  flows    123726    closed       21826       CON
> 22 Feb 01 14:19:33    man  pkts    649980  bytes    229873924 
>  drops 3007  flows    124867    closed       22058       CON
> 
> 
> However, on the linux box, the same applications are running as on the
> FreeBSD box.  Perhaps Linux is just lying and is indeed dropping but
> simply doesn't have the kernel mechanisms to inform me of that fact?
> 
> Even so, on a machine as equipped as this, I'd still expect 0 
> drops or a
> lot less.
> 
> What ethernet controller do you use?  We're using, on this machine,
> Intel Ether Express (fxp)...this could, of course, also be a factor.
> 
> Scott
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010222/6ab252cb/attachment.html>

More information about the argus mailing list