This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IO Throughput using only the Headers

0

I have a device that it receiving a large amount of traffic on its gigabit link. I'm slightly worried about running a standard capture on it as it may create performance issues for the device. My question is what methods can I use to limit the amount of traffic I have to capture, that would still allow me to report the statistics within wireshark or tshark.

Can anyone confirm if tshark and wireshark uses the complete data payload when calculating the packet totals etc (i.e within the Protocol Hierarchy Stats), i.e and not just the TCP SEQ numbers in the case of TCP. As I was wondering if there is any way to only capture the headers and still be able to report the various protocol throughputs.

Many Thanks,

asked 30 Jan '13, 03:43

bart80's gravatar image

bart80
11121316
accept rate: 0%

One Answer:

0

The stats will only be calculated for those parts of the packets that Wireshark can see. You'll need to ensure you capture enough to allow at least protocol detection for those protocols you want.

Do you need this info in real-time? If not, you'd also be better off using dumpcap to capture as Wireshark (and TShark to a lesser extent) will run out of memory due to maintaining conversations data etc.

answered 30 Jan '13, 04:13

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

It doesnt need to be in real time. So from what your saying as long as I capture the TCP headers or up to the first 100 bytes say, then I should be ok. I just wont be able to get too much in terms of UDP stats.

(30 Jan '13, 05:53) bart80

You could also miss out on stats where there are multiple pdu's, e.g. udp messages in a frame as the ones after the cutoff point won't be counted.

As you don't need this info in real-time I really recommend you use dumpcap for the captures.

(30 Jan '13, 05:59) grahamb ♦

Trouble with dumpcap is that it isn't always available on the device that I am capturing on. The good thing with TCPdump is that is it normally always preinstalled.

(30 Jan '13, 09:24) bart80

tcpdump is also OK. The main thing is not to use Wireshark or TShark due to the memory consumption when there is a lot of traffic.

(30 Jan '13, 09:43) grahamb ♦

Ah ok, so is there anything else I should consider when capturing traffic on a interface that is RX/TX around a gig per sec ?

Thanks for all your help...

(30 Jan '13, 10:47) bart80

Disk i/o speed. @jasper knows more, but in another question he thought you needed 240MB/s write speed.

(30 Jan '13, 11:43) grahamb ♦
showing 5 of 6 show 1 more comments