Hi,
I'm looking into how many packets can packetbeat capture before it starts dropping them doing tcpreplay in loopback, With speeds up to 1 Gbps I only get approximately 50 packets per second. Is this normal? Is there any way to get better results? I am using af_packet with a 500 Mb buffer.
Ada
50 pps sounds crazy low. Which packetbeat version are you testing?
Latest version, 1.2
You run linux in VM?
How can you tell ~50 pps are processed?
You run packetbeat in debug mode?
Which outputs have you configured?
What kind of traffic are you pushing? Any timeouts in packetbeat due to missing requests/responses?
I can tell only 50 transactions per second appear in Kibana. I'm not running it in debug mode and it outputs only to elasticsearch. I'm using a http pcap file and there are some timeouts but not enough to justify so few packets.
So you have like 50 transactions per second in elasticsearch, not packetbeat only processing 50 packets per second. Maybe it's a problem with indexing performance in elasticsearch. Have you tried to increase bulk_max_size: ... in elasticsearch output? Default size for ES is 50. If ES can not index fast enough, packetbeat will drop transaction events.
Here are some tips for getting stats about filebeat output. The same script and httpprof option works for packetbeat as well.
I have tried increasing bulk_max_size to 500 but the results are pretty much the same, 60 transactions per second in elasticsearch. I have also tried running packetbeat in debug mode and only about 1/10 of the packet I replay get processed and I also get a lot of warnings about gaps in the tcp stream. MAybe that has something to do with it?
Thanks
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.