full socket buffers

Friesen, Don SSBC:EX Don.Friesen at gov.bc.ca
Fri Feb 11 15:25:58 UTC 2011


>Snooping/storing traffic would cause high disk I/O and probable influence
>DHCPD performance. It could be a week before the issue occur :-(

   We have a sniffer for our DHCP server traffic.  The switch mirrors the traffic of all our DHCP servers to a server dedicated to watching the traffic.  It tends to show us things like rougue servers answering our traffic (when someone inserts a Linksys they bought onto our network with DHCP configured).

   On our DNS servers we run a rolling 10000 packet capture, and spin it off to a support server if it takes less than a couple of seconds to capture the 10000 packets. "snoop -qr -c 10000 -o /var/tmp/dns.watch" and the servers never notice the load.  I suspect the '-r' is not needed when '-o' is present.

   So from "could be a week" you have not noticed a pattern for how long it takes to occur?  It might be enough to just capture the packets shortly before you restart DHCPD.  What does DHCPD performance matter if you're just about to kill the task.

Don.


More information about the dhcp-users mailing list