Has anyone tried real-time packet analysis using wiresharks GUI with high volumes of traffic(>1Gbps)? Is this even possible with Wireshark? asked 22 May '12, 09:26  kfryklund edited 22 May '12, 17:38  cmaynard ♦♦ |
One Answer:
if you say > 1 GBit/s. Do you mean 10 GBit/s? If so, there have been talks about this at several sharkfest events:
Maybe someone here has even personal experience with 10 GBit analysis. Regards answered 22 May '12, 10:15  Kurt Knochner ♦ edited 22 May '12, 10:16 |
Thank you for the suggestions. I'm capturing at 10Gbit/s (but I have the ability to capture up to 40Gbit/s). I already have an appliance that can handle 20Gbps of traffic capture, but I don't have a way to analyze the realtime traffic with Wireshark.
Based on the sharkfest events, wireshark builds there own appliances (up to 7Gbps capture/record), but I still can't tell if the wireshark user is capable of monitoring/analysis of large amounts of realtime traffic as it's being captured.
You say:
Why do you need to analyze the data while it is being captured (at that speed)?
What are you looking for?
BTW: If you try to analyze 10GBit/s traffic in realtime in wireshark (gui or tshark), you will end up with enormous memory consumption in a very short period of time. 10Gbit/s is roughly 1Gbyte/s data. Wireshark builds internal data structures to store that data in memory. Internal memory requirement is somewhat larger than the raw captured data. So, within just 10 seconds you would end up with >> 10 GByte RAM consumption and it's not getting any better if wireshark runs longer ;-)
So, again: What are you looking for? Maybe there is a better way (if any) to analyze that much data in realtime.