On 05/14/2013 12:25 PM, Roberto Martelloni wrote:
> I've some question about netsniff-ng functionality:
>
> 1. is netsniff-ng multi-thread and if yes, is multi-thread development
> improve the performance of the sniffer ?
Currently not, except you start multiple instances of it, bound to different
CPUs. Then yes, but this only makes sense if your hard drive will not become
a bottleneck and can keep up with the pace (otherwise use a ramfs or the like).
> 2. is netsniff-ng capable to dump traffic in multiple files creating
> files with a max size X defined by user ?
Yes. Please see the man-page or --help of the current Git tree version [1].
[1]
https://github.com/borkmann/netsniff-ng
> 3. is netsniff-ng capable to track tcp session and udp flow to allow
> dump of pcap files whithout split a session/flow between multiple files ?
No, for performance reasons, we do not track tcp/udp sessions, but I'm
almost sure there are tools that can perform this offline on pcap files.
The only thing you can do here that might help in that term is to define a
tcpdump-like BPF filter that only allows to let a particular flow pass the
kernel filter.
Cheers,
Daniel