I'd like to log my Internet usage in such a way that I can see how much I've uploaded, and how much I've downloaded, to each port on each host/IP I visit. The machine I would be using to do this is an 800MHz Duron with 640MB of RAM, and this box is also used for quite a few other tasks (it typically has about 150MB of RAM free, and an average of 60-80% CPU usage), so I'd like to know how responsive the system would be with Wireshark constantly running in the background on such a system. (For some unusual and involved technical reasons, upgrading this system or using another is currently not possible.) Also, since just about everything that works with a domain name is going to do a DNS lookup to find the IP address, would it be possible to sniff for the DNS lookup response and use that to associate IP addresses with hostnames, rather than making an extra, technically superfluous, DNS lookup? asked 14 Mar '14, 00:46  i336_ |
One Answer:
That is not a lot of RAM, and no matter how much RAM you put in you will still run into trouble after a while. Wireshark is unable to capture nonstop, so if you plan on doing a continuous capture you should use dumpcap instead. See this blog post for more information on long time captures. Regarding DNS: Wireshark uses DNS answers found in capture files to do name resolution. It will only do DNS lookups if there is no answer found to a given IP address, and only if you use network name resolution. answered 14 Mar '14, 00:54  Jasper ♦♦ |
I see, thanks for that information; I'll give dumpcap a look. What's its performance like, CPU/RAM-wise? Is dumpcap a kind of intelligent framework that adds to libpcap, or is it just a thin layer that brings the functionality required into Wireshark?
Also, it's nice to know I'm not the only one who thought of the spurious-DNS thing :P
dumpcap has no intelligence when it comes to analyzing packets, its single job is to grab frames from the network card and write them to a file. So it's memory footprint should be pretty small; similar to what TCPdump does.
Actually, when Wireshark is capturing data it is not doing it itself. Wireshark spawns a dumpcap process and keeps reloading the file while it is written by dumpcap.