Network Capturing Tips


Linux Network Stack Setup

# Disable NIC offloading capabilities
ethtool -K eth5 tso off gso off gro off sg off

# Don’t save metrics (ssthresh, cwnd, …)
sysctl -w net.ipv4.tcp_no_metrics_save=1

Separate Packet Capturing Host

Disable offloading is one requirement if the captured data should be identical to the wire format if capturing is done on the sending host. Anyway, capturing on the sending or receiving host may influence the capturing process. Especially if you capture at high rates - 1Gb/s - the capturing process may have negative effects. Another example is a host where capturing is not possible (e.g. no administration rights). One quick solution is to capture from a separate host!

Install a hub as an immediate network element between the local communication elements is one valuable idea. Another solution is a switch with a mirroring port feature. A good product is a HP 1810G-8 ProCurve (8-Port) or HP 1810G-24 (24-port) switch! Connect to the switch and enable port mirroring (I use port 24 as the default mirroring port):

ip a ip a add broadcast + dev eth0
# factory password is empty (no password) for HP 1810G-24

Network Emulation Tips

Linux Foundations Netem's page provides a in detail description of Linux's network emulator capabilities. Another good source is the netem man-page. Here are two small netem examples just to show how easy netem setup is.

# Show qdisc for eth5
tc qdisc show dev eth5

# Causes 1th of a percent (i.e 1 out of 100) packets to
# be randomly dropped with a correction of 25%
tc qdisc add dev eth5 root netem loss 1% 50%

# 100 ± 10 ms and because delay is normally not uniform
# distributed we add a correlation of 25%
tc qdisc change dev eth5 root netem delay 100ms 10ms 25%