gulpman.html

改善linux指令 "tcpdump" 效能的免費open source程式

<HTML><BODY BGCOLOR=ffffff TEXT=000000><PRE>
GULP(1)                          User Commands                         GULP(1)



<B><FONT COLOR=#0000ff>NAME</B></FONT>
       gulp - drink efficiently from the network firehose

<B><FONT COLOR=#0000ff>SYNOPSIS</B></FONT>
       <B><FONT COLOR=#0000ff>gulp</B></FONT> [<B><FONT COLOR=#0000ff>--help</B></FONT> | <B><FONT COLOR=#ff0000>OPTIONS</B></FONT>]

<B><FONT COLOR=#0000ff>DESCRIPTION</B></FONT>
       On  a system with at least two CPUs (or cores), <B><FONT COLOR=#0000ff>Gulp</B></FONT> will probably drop
       far fewer packets than <B><FONT COLOR=#0000ff>tcpdump</B></FONT> when capturing from ethernet and writing
       to  disk,  allowing for much higher packet capture rates.  <B><FONT COLOR=#0000ff>Gulp</B></FONT> has the
       ability to read directly from the network but even piping  output  from
       legacy  applications  through <B><FONT COLOR=#0000ff>gulp</B></FONT> before writing to disk will probably
       result in a substantial performance improvement.

       Since <B><FONT COLOR=#0000ff>Gulp</B></FONT> uses CPUs #0-1, if you use <B><FONT COLOR=#0000ff>Gulp</B></FONT> in a pipeline and have  more
       than  2 CPUs, you can further improve performance by explicitly running
       other programs on CPUs #2-N with <B><FONT COLOR=#0000ff>taskset</B></FONT>(1) as shown in  some  examples
       below.

       To  improve  interactive  response at low packet rates, <B><FONT COLOR=#0000ff>Gulp</B></FONT> will flush
       its ring buffer if it has not written anything in the last second.   If
       the  data  rate  increases,  Gulp will realign its writes to even block
       boundaries for optimum writing efficiency.

       When <B><FONT COLOR=#0000ff>Gulp</B></FONT> receives an interrupt, it will stop filling its  ring  buffer
       but will not exit until it has finished writing whatever remains in the
       ring buffer.  If the buffer is large this can take a while--be patient.

<B><FONT COLOR=#0000ff>OPTIONS</B></FONT>
       <B><FONT COLOR=#0000ff>-d</B></FONT>     Decapsulates  packets  from  a  Cisco  "Encapsulated Remote SPAN
              Port" (ERSPAN).  Sets the pcap filter expression to "proto  gre"
              and  strips  off  Cisco  GRE headers (50 bytes) from the packets
              captured.  (If used with "-f" note that arguments are  processed
              left to right).

       <B><FONT COLOR=#0000ff>-f</B></FONT>     Specify  a pcap filter expression.  This may be useful to select
              one from many GRE streams (if using <B><FONT COLOR=#0000ff>-d</B></FONT>), or  if  not  using  <B><FONT COLOR=#0000ff>-d</B></FONT>,
              because  filtering  out  packets in the kernel is more efficient
              than passing them first through <B><FONT COLOR=#0000ff>Gulp</B></FONT>  and  then  filtering  them
              out.

       <B><FONT COLOR=#0000ff>-i</B></FONT> <B><FONT COLOR=#ff0000>eth#</B></FONT>
              Specify the network interface to read from.  The default is <B><FONT COLOR=#0000ff>eth1</B></FONT>
              or the value of environment  variable  $CAP_IFACE,  if  present.
              Specifying "<B><FONT COLOR=#0000ff>-</B></FONT>" as an "interface" reads a pcap file from standard
              input instead.  (If you forget -d during a live capture, you can
              decapsulate offline this way).

       <B><FONT COLOR=#0000ff>-r</B></FONT> <B><FONT COLOR=#ff0000>#</B></FONT>   Specify  a  ring buffer size (in megabytes).  Values from 1-1024
              are permitted, the default is  100MB.   If  possible,  the  ring
              buffer will be locked into RAM.

       <B><FONT COLOR=#0000ff>-c</B></FONT>     Just  copy  and  buffer bytes from stdin to stdout -- don't read
              packets from the network and don't  assume  anything  about  the
              format of the data.  This may be useful to improve the real-time
              performance of another application.

       <B><FONT COLOR=#0000ff>-s</B></FONT> <B><FONT COLOR=#ff0000>#</B></FONT>   Packet capture snapshot length.  By  default,  complete  packets
              are captured.  For efficiency, captured packets can be truncated
              to a given length during the capture process, which reduces cap-
              ture  overhead  and pcap file sizes.  (If used with "-d", speci-
              fies length after decapsulation.)

       <B><FONT COLOR=#0000ff>-x</B></FONT>     Use file locking to request (via exclusive lock)  that  this  be
              the  only  instance  of  <B><FONT COLOR=#0000ff>Gulp</B></FONT>  running.   If other instances are
              already running, they must be stopped  before  Gulp  will  start
              with this option.

       <B><FONT COLOR=#0000ff>-X</B></FONT>     Override  an exclusive lock (above) and run anyway.  An instance
              of <B><FONT COLOR=#0000ff>Gulp</B></FONT> started this way will hold a shared lock if no exclusive
              locks were broken, otherwise it will hold no locks at all (caus-
              ing a subsequent attempt to get an exclusive lock to succeed).

       <B><FONT COLOR=#0000ff>-v</B></FONT>     Print program version and exit.

       <B><FONT COLOR=#0000ff>-V</B></FONT> <B><FONT COLOR=#0000ff>xxxxxxxxxx</B></FONT>
              If the string of Xs is wide enough (10  or  more),  it  will  be
              overwritten  twice per second with a brief capture status update
              consisting of one digit followed by two percentages.  The  digit
              is  the  number  of  decimal  digits in the actual count of lost
              packets (0 indicates no drops).  The  two  percentages  are  the
              current  and maximum ring buffer utilization.  The updated argu-
              ment string can be seen with the  "<B><FONT COLOR=#0000ff>ps</B></FONT> <B><FONT COLOR=#0000ff>-x</B></FONT>"  command  (or  equiva-
              lent).

              If  the string of Xs is too short to hold the information above,
              a more verbose status line is written to standard error  instead
              (also  twice/second).   The first method is probably more useful
              to occasionally check on long captures and the  second  will  be
              more convenient while experimenting and setting up a capture.

       <B><FONT COLOR=#0000ff>-p</B></FONT> <B><FONT COLOR=#ff0000>#</B></FONT>   Specify  the  thread  polling  interval  (in microseconds).  The
              reader/writer threads poll at this interval when the ring buffer
              is  full/empty  waiting  for that to change.  Polling (even fre-
              quently) on modern hardware consumes immeasurably few resources.
              The default interval is 1000 (microseconds).

       <B><FONT COLOR=#0000ff>-q</B></FONT>     Suppress  warnings  about the ring buffer being full.  (If input
              is not from a live capture, no data will be lost when  the  ring
              buffer fills so the warning can be safely suppressed.  (If stdin
              is actually a file, warning suppression  will  happen  automati-
              cally.)

       <B><FONT COLOR=#0000ff>-z</B></FONT> <B><FONT COLOR=#ff0000>#</B></FONT>   Specify  output  write blocksize.  Any power of two between 4096
              and 65536 will probably be OK.  It seems  to  be  slightly  more
              efficient  to  write  larger  blocks so the default is 65536 for
              now.

<B><FONT COLOR=#0000ff>CAPTURE</B></FONT> <B><FONT COLOR=#0000ff>TO</B></FONT> <B><FONT COLOR=#0000ff>FILE</B></FONT> <B><FONT COLOR=#0000ff>OPTIONS</B></FONT>
       <B><FONT COLOR=#0000ff>-o</B></FONT> <B><FONT COLOR=#ff0000>dir</B></FONT> Redirects pcap output into a collection of  files  in  directory
              <B><FONT COLOR=#ff0000>dir</B></FONT>.   Pcap files will be named <B><FONT COLOR=#0000ff>pcap</B></FONT><B><FONT COLOR=#ff0000>###</B></FONT> (where <B><FONT COLOR=#ff0000>###</B></FONT> starts at 000
              and counts up).  To prevent mischief, the directory  must  exist
              (and  be  writable  by  the user running Gulp if Gulp is running
              setuid).