how to investigate packet drops?
RCDCap is a remote capture preprocessor
Brought to you by:
zero_effect
Menu
▾
▴
I have installed RCDCap 0.9 on SecurityOnion latest. I had to use
libboost1.58 to compile, and had to hack the cmake file to update the
obsolete dependencies.
The hardware has 2x 10G interfaces bonded as a VLAN trunk for both server
access and to deliver ERSPAN from two Nexus 9000 switches.
RCDCap command line is
rcdcap -i bond0.1005 -s 65535 --erspan --tap-persist --tap-device mon1
--worker-threads 8 --expression "proto gre"
I am getting lots of drop indicated, e.g. quite soon after a reboot
ifconfig mon1 shows RX packets 38044824 and dropped 7496745.
Is it possible to troubleshoot the drops?
thanks,
Rick
You can increase the internal buffer size, but it won't help you for sustained 10G load. Try running it in dummy mode, this will tell us whether it is bottlenecked by libpcap.
Yes, I agree about the 10G - fortunately the bottleneck on my target segment is currently 1G.
I've played with the command line options using --dummy "benchmarks"; I think I am seeing better performance using default worker threads (32) and --buffer-size 1024MB.
The typical result is to see slightly fewer packets captured by the application than by the kernel, with zero drops by kernel/driver/buffer. "Better performance" meaning less difference between application and kernel counters. I've also been checking the physical interface counters and I'm not seeing errors/drops on those to coincide with the rcdcap data.
I had expected to need to reduce CPU overhead with --threads 8, but the default does not seem to increase the load so I am going to run with that for a while.
thanks!