How does Wireshark affects server resources? Is it safe to put on a production server? We are experiencing time-outs in accessing the server. We want to see what's in the packets that's why we are planning to install wireshark on the server. Is this advisable? What is the alternative way to look/capture packets to the server? Thank you. asked 08 Jan '13, 08:56 bbmh123 edited 08 Jan '13, 08:57 |
3 Answers:
Wireshark for the most part is pretty benign. Unless you're talking about a 1Gig attached server going at 100% utilization, it should be safe. But to be absolutely sure, why not span/mirror the switch port connected to the server? This way, you can get access to the packet data w/o installing anything on the server. Also, just as an FYI, if your server is Unix/Linux/Solaris, you already have tcpdump/snoop on the server. So you can use that to capture the packets as necessary. If it's a Windows server, it may or may not have NetMon installed. You can also use that to capture the packets. In either case, you can analyze the data using Wireshark after the fact. But some baseline troubleshooting should take place. For example, can you ping the server during the timeout events? You can write a ping script to ping the server once every few seconds and log it. This will help you nail down if this is an application issue or a physical issue. Are there any logs on the switch port connecting the server? drops, link up/down messages? BPDU forwarding messages etc.? Not every message may get logged depending on the configuration, but it's the first thing you should rule out. Good luck. answered 08 Jan '13, 10:55 hansangb |
It's not advisable, but there may be situations where there is no other option. Running a capture on one of the systems taking part in the conversation is problematic, since it will usually mess up at least some of the packets you're recording. This will make analysis a lot more difficult, and you need to know the side effects of capturing packets locally like that to be able to rule them out as a cause of any problems you're investigating. It's a lot better to run a passive capture system that only records what the others are sending. That way you get a unbiased view at what is happening. Ways to do that are usually either capturing with a SPAN port, or (if you can afford it) by using a TAP. answered 08 Jan '13, 12:58 Jasper ♦♦ |
If there's anything to put on a production server it would be dumpcap, Wireshark's capture client. I've run that for ages on a (lightly loaded) production server, writing out limited size capture files on a loop, so that I could pick up the capture once a problem was reported. Make sure to plan for enough storage though, on loaded networks this can add up quickly. answered 08 Jan '13, 14:13 Jaap ♦ |