藥單
Tuning FreeBSD
Packet capturing utilizes the BPF device, in general in combination with the libpcap. This device executes a filter on each packet and store the packet afterwards in a double-buffer (see [Sch04de-sep, Sch05en-da] for details). The size of this double-buffer can be adjusted via a sysctl
. Setting it to 2×10 Mbytes has proven to be a good choice.
Since FreeBSD 6 you can do this by setting:
sysctl -w net.bpf.bufsize=10485760 sysctl -w net.bpf.maxbufsize=10485760
For older FreeBSD's just use:
sysctl -w debug.bpf_bufsize=10485760 sysctl -w debug.maxbpf_bufsize=10485760
Tuning Linux
Like in FreeBSD Linux offer some possibilities to tune it capturing performance as well. Due to the different capturing stack witch does not have a buffer but a queue of pointers behind the filter, one has to increase the receive buffer for all incomming packets and the queue length. This can be done via the /proc
filesystem (with Linux we found that 32 Mbytes is a good amount of memory):
echo 33554432 > /proc/sys/net/core/rmem_default echo 33554432 > /proc/sys/net/core/rmem_max echo 10000 > /proc/sys/net/core/netdev_max_backlog
An additional possibility to increase the performance is to use the mmap patch of Phil Wood. Please refer to his site for details. But note that this patch does not support non-blocking reads (select) on the packet socket. This is needed by some network analyser software. Bro for example is one of those.
出處
http://www.net.t-labs.tu-berlin.de/research/bpcs/
************************************************************************************************************************
經過多日測試,以上的修改帳況一樣發生,經將dhcpd升級到dhcp-4.2.0-14.P1(記得要有P1)後,發生次數可縮短到只有幾秒鐘,雖然不能完全解決問題,但可接受啦!!