NTOP Performance Improvement Scheme
Ntop is a Linux under common open source monitoring software, it can monitor the data including: network traffic, usage protocol, System load, port condition, packet sending time and so on. Normally it works like a passive sonar, silently receiving a variety of information from the network, through the analysis of these data, the network administrator can understand the current health of the network, but once more than Ntop packet processing power, Ntop A performance issue occurs that causes Ntop the inability to accurately analyze network traffic and various data has an impact on network management. A method for improving Ntop performance is described below.
usuallyNtopthe packet-capture analysis function isNtopthemselves done, but they were all throughLibpcapto achieve the clutch, and the speed cannot exceed100M, analyzeLibpcapprocess we understand that first packet through path for NIC hard interrupt → soft interrupt → kernel stack → system call →Socket→->libpcapinterface → user application, in this process, you can see the dataCopymore, so at high rateLibpcapit doesn't have to be strange to catch a packet and lose a packet.
for a gigabit network, you need to use pf_ring technology to accept the packet, pf_ring run on Linux kernel layer, as shown in the architecture diagram, it uses class-like 0 copy technology, and pf_ring The speed ratio of the data obtained from the NIC Libpcap There is a multiplier increase, and almost no packet loss in a gigabit environment.
650) this.width=650; "title=" 6-28.jpg "alt=" wkiol1dx3oli9vn-aacz6vcccoo707.jpg-wh_50 "src=" http://s5.51cto.com/ Wyfs02/m02/83/5e/wkiol1dx3oli9vn-aacz6vcccoo707.jpg-wh_500x0-wm_3-wmp_4-s_888087732.jpg "/>
for the kernel must be familiar with the following methods can be used to first patch the kernel source code ( The following content requires the reader to have the Linux kernel compilation base ) .
1 ) . Zcat linux-2.6.25-1-686-smp-pf_ring.patch.gz | patch-p0
2 ) . in the /usr/src/ under the directory linux-2.6.25 Table of contents, editing Makefile Add a custom suffix to this place (e.g. -pf_ring ):
Extraversion =-pf_ring
3 ) . Make Menuconfig
650) this.width=650; "title=" 6-28-1.jpg "alt=" wkiom1dx3plri_goaacs-x8hy_g225.jpg-wh_50 "src=" http://s4.51cto.com/ Wyfs02/m02/83/5f/wkiom1dx3plri_goaacs-x8hy_g225.jpg-wh_500x0-wm_3-wmp_4-s_2693166469.jpg "/>
650) this.width=650; "title=" 6-28-2.jpg "alt=" wkiol1dx3qphbsy2aabwo0i45ou138.jpg-wh_50 "src=" http://s1.51cto.com/ Wyfs02/m00/83/5e/wkiol1dx3qphbsy2aabwo0i45ou138.jpg-wh_500x0-wm_3-wmp_4-s_3239468528.jpg "/>
here Press y Choose the pf_ring , and then save the changes to . config exit. And then you start compiling the kernel .
#make
#make Modules Install the compiled Modules
#make Install
Note : The Bzimage Add to Grub to boot with the new kernel (note that the newly added kernel is not the default boot entry)
(with Make Install You can eliminate manual copying Bzimage and generate INITRD the tedious process)
Enterlibpcap-1.1.1-ringdirectory, modify the source code, willpf_ringthe kernelRingBuffer set to2M, the default0.5M, and then modifyMakeFile, point to the installation directoryusr/,Default Pointusr/local. Then compileMake ,thenMake Install; In this way, you willlibpfring.so, Pfring_e1000e_dna.h,pfring.h,libpfring.acopy it to theUsr/includeorUsr/libat the same time withlibpcap-1.1.1-ringThe library file replaces the originalLibpcaplibrary files;
If you think this method of modifying the kernel is more complex, let us recommend a simple way to www.ntop.org, download pf_ring-5.1.0.tar.gz Pack, untie pf_ring Run as a standalone module, no need to hit Patch directly after the kernel Make we can.
#insmod./pf_ring.ko Loading Modules
# DMESG | grep RING
[pf_ring] Welcome to pf_ring 3.9.3 # This part is pf_ring output at initialization time.
[Pf_ring] Ring Slots 4096
[Pf_ring] Slot version 9
[Pf_ring] Capture TX Yes [RX+TX]
[Pf_ring] IP Defragment No
[Pf_ring] Initialized correctly
[Pf_ring] registered/proc/net/pf_ring/
[pf_ring] successfully allocated 815104 bytes at 0xd0ad4000 # after each run pf_ring The program will output such debugging information
[pf_ring] Allocated 4115 slots [slot_len=198][tot_mem=815104]
[Pf_ring] removed/proc/net/pf_ring/2849-eth0.0
Note that when you first start the machine, ls/proc/net/pf_ring/ is not visible to this directory, only when needed pf_ring the first time the program is run, the directory is generated and a Info file
after the installation is complete , Shell the input :
#dmesg |grep pf_ring to verify the configuration is successful, see figure 4 .
650) this.width=650; "title=" 6-28-3.jpg "alt=" wkiom1dx3rtayxniaadspgp9f8s683.jpg-wh_50 "src=" http://s4.51cto.com/ Wyfs02/m01/83/5f/wkiom1dx3rtayxniaadspgp9f8s683.jpg-wh_500x0-wm_3-wmp_4-s_2536105022.jpg "/>
when you see 4 The output shown is indicative of this Ntop the performance of the transformation success, then your Ntop The system has improved the performance of packet capture and can adapt to the network environment with higher traffic.
51CTO Academy outstanding Lecturer in the selection, I look forward to your valuable vote!
Http://edu.51cto.com/lecturer/user_id-350944.html
This article is from the "Lee Chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1793524
NTOP Performance Improvement Scheme