On Thu, Dec 13, 2012 at 8:59 AM, John Powell <jrp999@xxxxxxxxx> wrote:
> Hi Ronnie,
>
> I am capturing a 250 MB file every few seconds. My ATOP reports:
>
> MDD | md2 | busy 0% | read 1 | write 15442 | KiB/r
> 4 | KiB/w 4 | MBr/s 0.00 | MBw/s 60.32 | avq 0.00 | avio 0.00
> ms |
> DSK | sda | busy 107% | read 1 | write 205 | KiB/r
> 4 | KiB/w 506 | MBr/s 0.00 | MBw/s 101.33 | avq 93.88 | avio 4.51
> ms |
> DSK | sdb | busy 92% | read 0 | write 191 | KiB/r
> 0 | KiB/w 511 | MBr/s 0.00 | MBw/s 95.50 | avq 86.84 | avio 4.20
> ms |
>
> I need the resulting files to be searchable by TSHARK and be able to create
> a PCAP extraction based on the search.
>
> The dumpcap command being used is:
>
> usr/local/bin/dumpcap -B 16 -i 4 -f vlan and (not vrrp and not udp port 1985
> and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b duration:900
> -w /data/eth2.cap
>
> I am looking at using a SSD for my OS and my Capture volume which may help
> out with the Disk IO issue but eliminating the copy from the /TMP would
> definitely be an asset.
That sounds like about 100MB/s.
If you can use a file system like XFS that can separate metadata from
data, and put your metadata on SSD, then you might find that a small
array of spinning disks is enough for you.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
