This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

impact of packet capture

We use wireshark for analyzing packet captures we collect with tcpdump and/or tshark on Linux systems. I have been trying to understand the impact of running tcpdump/tshark on packet flow of the host system, but I cannot seem to find much information on this. Can anyone explain how these tools interact with the host system and the impact on network activity?

Is any latency introduced into the session or risk of packets being dropped by the kernel due to the additional demands of copying incoming network data for the capture?

Thanks, Ryan

impact performance packet-capture tcpdump tshark

asked 25 Sep '14, 06:45

ryber
146●4●5●9
accept rate: 16%

One Answer:

I don't have any numbers for you but for sure adding network capture adds work to the host. Some places where this would be the case:

If running a capture turns on promiscuous mode then you'll be getting more traffic than usual (in modern switched networks there normally won't be much more). If you for some reason do end up getting a lot more traffic then this could affect latency and/or cause more packets to be dropped.
A monitored packet needs to be copied to 2 applications: the real network application and tcpdump/dumpshark. If you're on a RISC machine like SPARC such an extra copy can be quite expensive; on x86 it's much less of a problem. Unless your CPU usage is quite high this is unlikely to cause significant additional latency or packet drops.

Of course all of the effects become bigger as traffic rates go up. So: if your traffic rate is not huge and/or your application is not super-critical, sure you can probably safely capture the traffic. Otherwise you might want to invest in a dedicated capture system (attached to a monitor port).

answered 20 Oct '14, 05:40

JeffMorriss ♦
6.2k●5●72
accept rate: 27%