This is our old Q&A Site. Please post any new questions and answers at

Before you guys say "do your own research" (which I will if this is inconclusive) I was just curious if anyone has tried out similar AMD/Intel rigs and benchmarked their performance on highly parallelized Tshark/Wireshark operations. Upwards of 60 cores. From my googling I couldn't find that anyone looked into this. Also, any optimization or performance suggestions would be highly appreciated. I did find some great info with using 'dd -bs' to speed up reading from disk.

I should make it more clear. I am running multiple instances of Tshark at once over multiple different capture files.

asked 19 Aug '14, 10:49

Blackdragon1400's gravatar image

accept rate: 0%

edited 19 Aug '14, 12:07

Presumably by "paralellized" you mean "running many copies of TShark or Wireshark in parallel"; as grahamb notes, they aren't multi-threaded (multi-threading may be possible, but it's not easy; dissecting network traffic is not easily parallelizeable because dissection of later data in a packet depends on dissection of earlier data in a packet and dissection of data in a later packet often depends on data in earlier packets).

(19 Aug '14, 11:20) Guy Harris ♦♦

Tshark/Wireshark are basically single threaded apps so don't benefit from multiple cores.

permanent link

answered 19 Aug '14, 11:09

grahamb's gravatar image

grahamb ♦
accept rate: 22%

I run many instances at once.

(19 Aug '14, 11:47) Blackdragon1400

any optimization or performance suggestions would be highly appreciated

For capturing performance libpcap >= 1.5.3

I would imagine, without having any measurements to back it up that CPU and memory speed would matter more than manufacturer. Disc access is also a bottleneck.

I would also recomend using the development verson as we have done some optimiztions to the dissection Engine recently.

Running the valgrind script on one of your traces might indicate if something in the protocol mix you are using could be optimized further. ( in the Tools dir )

(19 Aug '14, 12:51) Anders ♦

If you only want to capture dumpcap would be preferable. Like Wireshark, tshark builds data structures for decode purposes whereas dumpcap just takes the data from the npf driver (via the buffer) and writes it to disk. We've run dumpcap captures for weeks without a problem.

We use Dell R320 and R420 units and for outright performance, the disk is definitely the bottleneck. Our units have one system disk and three data disks. We stripe across the three disks and my colleagues claim we can handle a sustained rate of 3 Gbps before we start losing packets. OS is Windows 7.

Best regards...Paul

PS: just noticed you reference to libpcap, so transpose the above accordingly. Not sure if dumpcap is applicable on Linux, so perhaps tcpdump would be preferable.

permanent link

answered 20 Aug '14, 15:05

PaulOfford's gravatar image

accept rate: 11%

edited 20 Aug '14, 15:08

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Aug '14, 10:49

question was seen: 5,382 times

last updated: 20 Aug '14, 15:08

p​o​w​e​r​e​d by O​S​Q​A