This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'd like to log my Internet usage in such a way that I can see how much I've uploaded, and how much I've downloaded, to each port on each host/IP I visit.

The machine I would be using to do this is an 800MHz Duron with 640MB of RAM, and this box is also used for quite a few other tasks (it typically has about 150MB of RAM free, and an average of 60-80% CPU usage), so I'd like to know how responsive the system would be with Wireshark constantly running in the background on such a system. (For some unusual and involved technical reasons, upgrading this system or using another is currently not possible.)

Also, since just about everything that works with a domain name is going to do a DNS lookup to find the IP address, would it be possible to sniff for the DNS lookup response and use that to associate IP addresses with hostnames, rather than making an extra, technically superfluous, DNS lookup?

asked 14 Mar '14, 00:46

i336_'s gravatar image

i336_
1111
accept rate: 0%


That is not a lot of RAM, and no matter how much RAM you put in you will still run into trouble after a while. Wireshark is unable to capture nonstop, so if you plan on doing a continuous capture you should use dumpcap instead. See this blog post for more information on long time captures.

Regarding DNS: Wireshark uses DNS answers found in capture files to do name resolution. It will only do DNS lookups if there is no answer found to a given IP address, and only if you use network name resolution.

permanent link

answered 14 Mar '14, 00:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I see, thanks for that information; I'll give dumpcap a look. What's its performance like, CPU/RAM-wise? Is dumpcap a kind of intelligent framework that adds to libpcap, or is it just a thin layer that brings the functionality required into Wireshark?

Also, it's nice to know I'm not the only one who thought of the spurious-DNS thing :P

(14 Mar '14, 01:38) i336_

dumpcap has no intelligence when it comes to analyzing packets, its single job is to grab frames from the network card and write them to a file. So it's memory footprint should be pretty small; similar to what TCPdump does.

Actually, when Wireshark is capturing data it is not doing it itself. Wireshark spawns a dumpcap process and keeps reloading the file while it is written by dumpcap.

(14 Mar '14, 01:54) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×55
×36
×21
×4

question asked: 14 Mar '14, 00:46

question was seen: 3,794 times

last updated: 14 Mar '14, 01:54

p​o​w​e​r​e​d by O​S​Q​A