Mailing List Archive: PF_RING ZC and multiple tcpdumps

Hi Lee
zc is a kernel-bypass technology, in essence the application runs a userspace driver controlling the network interface, that’s why you can use only one instance of tcpdump,
in order to receive the same traffic from multiple tcpdump instances you should use zbalance_ipc (https://github.com/ntop/PF_RING/tree/dev/userland/examples_zc <https://github.com/ntop/PF_RING/tree/dev/userland/examples_zc>) which
is a sample application capturing traffic and distributing it to multiple consumers using software queues. You can use fanout distribution (sending all traffic to all consumers,
then filtering on the consumers, but I guess you will have the same performance issues), or any other distribution function (you can write your own distribution function).

Alfredo

> On 13 Feb 2017, at 20:31, Lee Tessier <LTessier@babytel.net> wrote:
>
> Hello,
>
> I am trying to improve a current monitoring situation where we use dumppcap with wireshark to capture specific traffic. We have anywhere from 20 – 50 copies of wireshark running with filters for different traffic. The problem is that past 50 traces running, the system starts dropping packets.
>
> I am testing PF_RING ZC with tcpdump to see how it can improve the capturing but it seems I can only use one instance when specifying the interface “zc:eth1”. Is it possible to have multiple tcpdumps running with filters or is there a better way to accomplish this?
>
> Regards,
>
> Lee
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>