This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Slow in promiscious mode

0

Using Wireshark 1.6.7 in Ubuntu 12.04 with promiscuous mode makes Wireshark run slow.

I have tried reinstalling Wireshark but it still runs slow. When I disable promiscuous mode it runs ok again.

Have 8gb of ram.

Is there a way to speed it up ?

Thanks

asked 15 Mar '14, 22:21

kam270's gravatar image

kam270
16115
accept rate: 0%

edited 15 Mar '14, 22:24


2 Answers:

2

Is there a way to speed it up ?

disable name resolution.

Edit -> Preferences -> Name Resolution

disable the options related to name resolution, like 'Resolve network (IP) addresses' and 'Use an external network name resolver'

Regards
Kurt

answered 16 Mar '14, 05:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt this done the trick. Thanks.

(16 Mar '14, 05:25) kam270

1

First of all, you are running a quite old version; current is 1.10.6, so you might want to upgrade (if possible; I'm not sure what packages Ubuntu 12.04 has in the repositories).

Second, what do you mean exactly by "it still runs slow"? What is it doing that should be faster? Wiresharks speed depends largely on the amount of packets that it has to process, so if you're capturing packets on a very busy link you'll notice that it can't keep up with updating the display. If you're loading a trace with lots of packets it may also behave slowly because it has to process lots of data.

Keep in mind that it is not that important how much data there is (in bytes); the speed of Wireshark depends a lot more on the amount of packets, and what protocols they contain. There are many protocols that are more complex to decode and analyze than others, e.g. an ARP frame doesn't need much processing time while a complex high level protocol might take a lot longer to process.

If you need a faster capture process try doing it by running dumpcap instead of Wireshark (which in fact uses dumpcap to capture itself).

answered 16 Mar '14, 04:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Yeah it is an old version , cant seem to get a .deb of the latest version. I may have to compile form source.

The slowness was in the interface. Menus were slow to load 4-7 seconds.

(16 Mar '14, 05:26) kam270