In this mode you need to configure port mirror / SPAN / TAP from your switch or router device. We suggest using separate interface for management connection with FastNetMon for reliability reasons.
Enable plugin for mirror capture:
sudo fcli set main mirror_afpacket enable
List all available interfaces for your system:
sudo fcli show interfaces
Enable capture for specific port (you may specify any number of ports):
sudo fcli set main interfaces em1 sudo fcli commit
Then enable port mirroring on router or switch side.
By default FastNetMon samples traffic 1 to 100 for better accuracy on low speeds but if your capture 1G or more then we recommend increasing sampling rate to at least 1 to 1000 to avoid traffic drops:
sudo fcli set main mirror_af_packet_sampling enable sudo fcli set main mirror_af_packet_sampling_rate 1000 sudo fcli commit
By default FastNetMon relies on Linux kernel to do packet sampling and then receives data using single thread. If you use sampling then you must enable this mode or you will have enormous traffic spikes during FastNetMon restart which will lead to false positives:
sudo fcli set main mirror_af_packet_disable_multithreading enable sudo fcli commit
Each AF_PACKET socket has multiple counters about number of packets dropped due to performance issues. This option is disabled by default but you can easily enable it this way:
sudo fcli set main mirror_af_packet_socket_stats enable sudo fcli commit
After enabling this option you will see two more counters for following debug command:
sudo fcli show system_counters |grep socket
Example output:
socket_received_packets 0 socket_dropped_packets 0
If you do not use sampling (not recommended for production setups) FastNetMon will run 1 worker thread for each queue on NIC. For many modern NICs number of queues is set to number of active cores. In cases when your machine has many cores (16, 24 or more) it may lead to lock contention and then you will see all CPU cores busy but traffic will be under counted. In this case we suggest setting lower number of queues on NIC this way:
sudo ethtool --set-channels eth4 combined 8
Another option to improve mirror capture performance is fanout type, FastNetMon has support for following fanout algorithms (for more details, please check this page in PACKET_FANOUT section):
- cpu
- lb
- hash
- random
- rollover
- queue_mapping
By default, FastNetMon uses “cpu” but you can easily change it this way:
sudo fcli set main mirror_af_packet_fanout_mode cpu sudo fcli commi
Some routers such as Juniper MX have capability to sample mirrored traffic on router’s data plane. It’s very good approach as it reduces amount of traffic delivered from router to machine with FastNetMon and significantly reduced amount of required CPU resources. To get correct traffic all data have to be multiplied on sampling rate by FastNetMon. Port mirror has no options to encode sampling rate in traffic stream and you need to specify it manually this way:
sudo fcli set main mirror_af_external_packet_sampling enable sudo fcli set main mirror_external_af_packet_sampling_rate 1000 sudo fcli commit
If you have any performance issues with this capture mode, we suggest testing new experimental capture plugin: AF_XDP.
If you’re looking for GRE support please check this article.