This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does Wireshark affects server resources? Is it safe to put on a production server? We are experiencing time-outs in accessing the server. We want to see what's in the packets that's why we are planning to install wireshark on the server. Is this advisable? What is the alternative way to look/capture packets to the server? Thank you.

asked 08 Jan '13, 08:56

bbmh123's gravatar image

bbmh123
1112
accept rate: 0%

edited 08 Jan '13, 08:57


Wireshark for the most part is pretty benign. Unless you're talking about a 1Gig attached server going at 100% utilization, it should be safe. But to be absolutely sure, why not span/mirror the switch port connected to the server? This way, you can get access to the packet data w/o installing anything on the server. Also, just as an FYI, if your server is Unix/Linux/Solaris, you already have tcpdump/snoop on the server. So you can use that to capture the packets as necessary. If it's a Windows server, it may or may not have NetMon installed. You can also use that to capture the packets. In either case, you can analyze the data using Wireshark after the fact.

But some baseline troubleshooting should take place. For example, can you ping the server during the timeout events? You can write a ping script to ping the server once every few seconds and log it. This will help you nail down if this is an application issue or a physical issue.

Are there any logs on the switch port connecting the server? drops, link up/down messages? BPDU forwarding messages etc.? Not every message may get logged depending on the configuration, but it's the first thing you should rule out.

Good luck.

permanent link

answered 08 Jan '13, 10:55

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

It's not advisable, but there may be situations where there is no other option. Running a capture on one of the systems taking part in the conversation is problematic, since it will usually mess up at least some of the packets you're recording. This will make analysis a lot more difficult, and you need to know the side effects of capturing packets locally like that to be able to rule them out as a cause of any problems you're investigating.

It's a lot better to run a passive capture system that only records what the others are sending. That way you get a unbiased view at what is happening. Ways to do that are usually either capturing with a SPAN port, or (if you can afford it) by using a TAP.

permanent link

answered 08 Jan '13, 12:58

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

If there's anything to put on a production server it would be dumpcap, Wireshark's capture client. I've run that for ages on a (lightly loaded) production server, writing out limited size capture files on a loop, so that I could pick up the capture once a problem was reported. Make sure to plan for enough storage though, on loaded networks this can add up quickly.

permanent link

answered 08 Jan '13, 14:13

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620

question asked: 08 Jan '13, 08:56

question was seen: 6,018 times

last updated: 08 Jan '13, 14:13

p​o​w​e​r​e​d by O​S​Q​A