On 9/10/07, John R Pierce pierce@hogranch.com wrote:
wireshark can process and display packet capture files from tcpdump -w
capture a few megabytes of packets on the appropriate interface of the firewall, then transfer them to a workstation with Wireshark for analysis.
OK, I've got some output from "tcpdump -w any" but I don't know precisely what I'm looking for. (I'd be happy to take this off-list.) I notice that just over 1/3 of the packets are TCP out-of-order segments and about 4% are duplicate ACKs.
We also dumped eth0 and eth1 separately. Statistics on the "any" output show 26Mb/s, but eth0 and eth1 independently are only 10Mb/s each.
By the way, those interrupts/sec numbers in my earlier message were off; I chose a bad moment to look at it, when the peak had subsided. At peak it's more like 2500-3000 interrupts/sec, sometimes as high as 3500.