This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am looking for a replacement for my current laptop / portable capture device. After seeing Chris Greer's Sharkfest presentation "When does a laptop start dropping packets" (http://www.youtube.com/watch?v=_H7PjWqKV0Q) and then experiencing the inability to get all of the packets first hand during a capture session last week I'm more than leery of laying my money down for something that only functions well as an email machine. I need advice, other than than the advice of all the sales people I called on. To paraphrase - "Buy the biggest laptop we offer and stick it with every on our options list".

So, Here I go: How much memory? What kind of disk and how fast? Who's Operating System? HP or Apple? (I saw an awful lot of people at Sharkfest toting Macbooks. Do you just like your e-mail better on one of these or does it make a better capture device? $5K or less, if possible? (I can't afford an Omniview).

Please help with your suggestions as to what's important in a spec or device. I really do need to replace this by November as the lease is up and the corporate guys are coming.

asked 17 Sep '13, 12:28

dribniff's gravatar image

dribniff
6445
accept rate: 0%

Current botleneck might be in libpcap more than in HW, winpcap development seems to have stalled so perhaps another OS than Windows. Value for monny might be a few notches below top of the line. Fast disk (SSD?), >= 8 GB memory. It also depend if you plan to compile your own Wireshark/libpcap or want it out of the box.

(17 Sep '13, 13:53) Anders ♦

For the memory question, is your goal to display large packets in real-time in Wireshark, or capture them? Capturing packets really isn't a very memory-intensive task, and you can do it with something like Dumpcap with no more than a few megs of memory even for fairly high bandwidth links. If you're just writing to disk, memory is a non-issue. For display of packets however, it really depends on what kind of capture sizes you're looking at. Displaying large packet captures with no capture filters set destroys memory because you're loading it all into RAM at that point.

For myself at least, I tend to use dumpcap for captures, tshark/editcap to filter it down, then tshark or wireshark to actually load captures to a display depending on what I'm doing. That way you drill down without a lot of RAM, and in terms of avoiding needles in haystacks tshark and editcap can really compliment each other when you're working with large capture files.

Depending on what you're doing, even 128GB of RAM might not be enough if the intent is to do wide-open traces of absolutely massive captures in a display. In my experience when people complain about lack of RAM on a capture machine it's usually because they aren't effectively filtering down before displaying, or they can't control their users who aren't filtering down effectively before displaying.

(17 Sep '13, 19:06) Quadratic

Good points, all.

Display...I learned my lesson when I lit off a trace and watched the display freeze and then come back to life 45 seconds later. I think we all like the instant gratification of watching (packet analyst= voyeur?). As we get into bigger links with higher sustained data rates you can loose the display.

The problem is the link I was tapping overran the tshark and left "previous segment..." messages. So, that brings us back to disk speed and type of disk and efficiency of the bus and interface card, etc. As Anders pointed out, with inefficiencies in winpcap and libpcap it might be better to choose a non-windows OS and park the most efficient NIC-bus-disk under it that you can. Then, as Quadratic pointed out, leave the pretty pictures for after the data is captured.

Any other thoughts, anyone? What about the Apple choice?

(18 Sep '13, 06:41) dribniff
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8
×7

question asked: 17 Sep '13, 12:28

question was seen: 2,083 times

last updated: 18 Sep '13, 06:41

p​o​w​e​r​e​d by O​S​Q​A