We use wireshark for analyzing packet captures we collect with tcpdump and/or tshark on Linux systems. I have been trying to understand the impact of running tcpdump/tshark on packet flow of the host system, but I cannot seem to find much information on this. Can anyone explain how these tools interact with the host system and the impact on network activity?
Is any latency introduced into the session or risk of packets being dropped by the kernel due to the additional demands of copying incoming network data for the capture?
asked 25 Sep '14, 06:45
I don't have any numbers for you but for sure adding network capture adds work to the host. Some places where this would be the case:
Of course all of the effects become bigger as traffic rates go up. So: if your traffic rate is not huge and/or your application is not super-critical, sure you can probably safely capture the traffic. Otherwise you might want to invest in a dedicated capture system (attached to a monitor port).
answered 20 Oct '14, 05:40