how many traffic capacities wireshark can handle in a second? asked 22 Apr '14, 22:54  fred edited 28 Apr '14, 01:33  grahamb ♦ |
One Answer:
That depends on the hardware wireshark is running on and the OS and version of the sport libraries. At Sharkfest '13 it was demonstrated that a windows laptop may be struggling at 100Mb/s, on a Ubuntu 13.10 with libpcap 1.5.x I managed close to 600Mb/s with dumpcap. Tcpdump did slightly better. answered 22 Apr '14, 23:49  Anders ♦ showing 5 of 6 show 1 more comments |
I deleted the comment by misstake... If you are doing a live capture with Wireshark I suspect it will manage less packets/s. As stated above your milage varies depending on HW, OS and SW level on that OS. To add insult to injury Wireshark will eventually run out of memory if run for a long time. Your Wireshark settings does also affect performance - like name resolution, update packets in real time, capture filters etc. So it's hard to give a straight answer.
(sport libraries, should read Support libraries, blaim T9)
hi,you say "on a Ubuntu 13.10 with libpcap 1.5.x I managed close to 600Mb/s with dumpcap", could you tell me your hardware list ? for example,mem size, disk size, number of interface,number of cpu core etc.
Now you should use Ubuntu 14.04 as that comes with libpcap 1.5.x
grep -c processor /proc/cpuinfo 12
/proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2430 0 @ 2.20GHz stepping : 7 microcode : 0x70d cpu MHz : 2200.003 cache size : 15360 KB physical id : 0 siblings : 12 core id : 0 cpu cores : 6 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid bogomips : 4400.00 clflush size : 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management:
cat /proc/meminfo MemTotal: 24642912 kB
your os Ubuntu 14.04 is desktop or server? Usually i use SUSE server,especial SUSE11SP1, can SUSE have the same handling capacity as your Ubuntu 14.04?
If it has the same wireshark and Libpcap versions I don't see why not. Kernel version might make a difference too but not that I'm aware of. Server or desktop differences i don't know either.
thanks,i will check it