Before you guys say "do your own research" (which I will if this is inconclusive) I was just curious if anyone has tried out similar AMD/Intel rigs and benchmarked their performance on highly parallelized Tshark/Wireshark operations. Upwards of 60 cores. From my googling I couldn't find that anyone looked into this. Also, any optimization or performance suggestions would be highly appreciated. I did find some great info with using 'dd -bs' to speed up reading from disk. I should make it more clear. I am running multiple instances of Tshark at once over multiple different capture files. asked 19 Aug '14, 10:49  Blackdragon1400 edited 19 Aug '14, 12:07 |
2 Answers:
Tshark/Wireshark are basically single threaded apps so don't benefit from multiple cores. answered 19 Aug '14, 11:09  grahamb ♦ I run many instances at once. (19 Aug '14, 11:47) Blackdragon1400
For capturing performance libpcap >= 1.5.3 I would imagine, without having any measurements to back it up that CPU and memory speed would matter more than manufacturer. Disc access is also a bottleneck. I would also recomend using the development verson as we have done some optimiztions to the dissection Engine recently. Running the valgrind script on one of your traces might indicate if something in the protocol mix you are using could be optimized further. ( in the Tools dir valgrind-wireshark.sh ) (19 Aug '14, 12:51) Anders ♦ |
If you only want to capture dumpcap would be preferable. Like Wireshark, tshark builds data structures for decode purposes whereas dumpcap just takes the data from the npf driver (via the buffer) and writes it to disk. We've run dumpcap captures for weeks without a problem. We use Dell R320 and R420 units and for outright performance, the disk is definitely the bottleneck. Our units have one system disk and three data disks. We stripe across the three disks and my colleagues claim we can handle a sustained rate of 3 Gbps before we start losing packets. OS is Windows 7. Best regards...Paul PS: just noticed you reference to libpcap, so transpose the above accordingly. Not sure if dumpcap is applicable on Linux, so perhaps tcpdump would be preferable. answered 20 Aug '14, 15:05  PaulOfford edited 20 Aug '14, 15:08 |
Presumably by "paralellized" you mean "running many copies of TShark or Wireshark in parallel"; as grahamb notes, they aren't multi-threaded (multi-threading may be possible, but it's not easy; dissecting network traffic is not easily parallelizeable because dissection of later data in a packet depends on dissection of earlier data in a packet and dissection of data in a later packet often depends on data in earlier packets).