Our focus at this moment is long-term data collection. So far, we have set sampling points only on relatively slow connections. Data collection from faster links is an obvious direction, but we have limited storage capacity and network capacity.
As for high-performance packet capturing, we can benefit from advanced research such as OC3MON [ACTW96]. OC3MON uses a DOS-based capturing tool to monopolize CPU, and takes advantage of the processor on the ATM card for offloading.
However, today's commodity PC is already quite powerful: Gigabit Ethernet is about 125MB/sec. The bus bandwidth of 32bit PCI at 33MHz is 132MB/sec, and 64bit PCI at 66MHz is 528MB/sec. The disk interface is getting faster as well. Ultra160 SCSI provides 160MB/sec. A single high-end disk has sustained rate of about 30MB/sec but disks can be used in parallel so that 4 disks provide about 120MB/sec. CPU power itself seems to be catching up.
There are also issues to run tcpdump on non-realtime UNIX; preemption could affect reliable data collection, resource contention and kernel-user data copy could affect performance, network cards and drivers are not designed to obtain precise timestamp. Still, if the system is correctly tuned, a commodity PC seems to be capable of capturing packets even at a gigabit network.