When starting a capture, all packets arrive in memory, but also in a temp file. The write speed to disk is probably a limiting factor on how fast wireshark can collect the data. I loose packets as soon as traffic exceeds 400Mbps on a 10 gigabit/s network card. I have a Xeon processor at 2.8Ghz and 4GByte RAM at 1066Mhz, so I don't think the writing to RAM is the limiting factor. I would like to be able to disable writing to temp file in wireshark, to see if I still loose packets. Is there a way to do it? asked 25 Oct '12, 01:35  wbla |
2 Answers:
Wireshark uses dumpcap to do the capturing. This is done for security purposes, so that the >2 mln lines of code executable does not need to run with elevated privileges. Dumpcap writes to a temporary file and wireshark reads from the file. So no, capturing without the use of a temporary file is not possible by design. If you need to capture high speed networks for small amounts of time, you might want to consider using a RAM-disk for the temporary capture file. answered 25 Oct '12, 02:28  SYN-bit ♦♦ |
You can only try to increase the buffers in the capture setup, but basically Wireshark will always write to disk as soon as it is full. Increasing the buffers can be done by selecting "Capture" -> "Capture Options" -> double click the NIC you use to capture -> Buffer Size. From my experience the amount of memory you can enter there depends on how much RAM you have and if it is a 32bit or 64bit OS you're running. If you increase the buffers you will most likely encounter things like the capture stop button behaving differently, because it will not react right away while there are still packets in the buffer. You'll have to observe the status bar to see if packets are still coming in. While I do not want to rain on your parade I still think that the PC you have is probably just not fast enough for a 10G capture. 400Mbps means you're writing 50MB/s to disk, and that is the problem in most cases. A single "normal" HDD can write from 40 to lets say 100 MB/s today, with only SSDs going up to maybe 500MB/s. If your 10GBit link is 100% full you'll get 20GBit in total (10GBit RX, 10GBit TX), and that means that you'll need to be able to write about 2200MByte per second. Yes, that is 2,2 GByte/s. This is only possible with expensive PCI-e based SSD cards, and I'm not sure you want to buy one of those :-) answered 25 Oct '12, 02:00  Jasper ♦♦ |
Thank you for this info, now it is obvious my disk write speed. I could see it by the fact that when always caturing 10 seconds and using different bitrates as traffic to capture, the filesize was always maximum 1.2 GB or even less for higher bitrates. This means 1.2GB/10 seconds = indeed the max write speed of my disk. I consider now ordering SSD disk and redo my tests.