This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Gigabit Ethernet Capture

0

Is it possible for Wireshark to Capture Real Time Packets with No Packet Drop for Gigabit Ethernet Capturing? If no, is there any other packet analyzer to do such? If yes, how to do it? Thanks!

This question is marked "community wiki".

asked 01 Jun '14, 23:07

KTC's gravatar image

KTC
1112
accept rate: 0%


One Answer:

1

Depends on how much traffic there is on the Gigabit link and how fast the packets are coming in. Worst case - no, you can't capture a full gigabit link with standard PC equipment, as Chris Greer has demonstrated on the Wireshark conference last year.

If you really need zero packet drop under all circumstances you'll need special capture equipment, e.g. one of the commercial capture solutions like Wildpackets, Solera Networks etc.

Or you buy a Napatech or Fiberblaze capture card and build your own system with it.

answered 02 Jun '14, 01:59

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

How about High End Servers instead of standard PC equipment? Could it possibly work? Thanks for the response!

(02 Jun '14, 17:14) KTC

As far as I know there is no recent studies on capturing on commodity HW. Geting close to 1 Gb/s is a challenge and would probably need the best possible HW and OS. but do you realy need to listen to a fully loaded Gigabit link the amount of data captured would be huge and a challenge to analyse after capture.

Using dumpcap and just write to disk with libpcap >= 1.5.3 might give good results.

  • If you do switch monitoring the switch might get overloaded and drop packets.

I imagine CPU and memory speed(RAM) is a factor together with disc speed. As the capturing process isn't multitreaded number of cores does not mather that much.

Capture filters to reduce the number of packets to actually save might help.

That said you can get far on commodity HW but taps with HW filtering might be the first thing to consider if that isn't working.

(02 Jun '14, 22:05) Anders ♦
1

At the demo of Chris last year I captured with a 8 core Intel Core I7 directly to a SSD, and still lost about 80% of the packets if the generator pushed them out as fast as possible. This was a synthetic test but it showed that on really busy links standard hardware has its limits. I guess the capture card is the problem because it has to process incoming data fast and precisely.

(03 Jun '14, 02:48) Jasper ♦♦

I guess that was on Windows, I got a feeling that Linux and BSD is doing (much) better.

(03 Jun '14, 03:11) Anders ♦

I don't remember if that was with dumpcap, tshark or wireshark and wether a larger buffer than 1 mb was used.

(03 Jun '14, 03:13) Anders ♦