This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark High Speed Data Display

0

Hi,

I have a requirement for a tool for continuous monitoring a 1Gbps data stream, that would allow users to also view the captured data simultaneously.

I understand that Wireshark would not allow simultaneous high speed data capture and a useful display as the data would be too fast.

Does anyone know of a tool that would allow data to be captured and stored to file and that could also be accessed so that a snapshot of the captured data is viewable in a UI display?

Thanks awl

asked 17 Nov '14, 03:06

awl's gravatar image

awl
11223
accept rate: 0%


One Answer:

0

What you need is more in the area of "Network Security Monitoring", e.g. with tools like Bro which can automatically extract files and other content.

Anyway, a full speed 1Gbps stream is hard to monitor in realtime, because normal network cards will loose too many packets, and special capture cards cost extra money (and still the amount of data may be coming in too fast to watch it)

answered 17 Nov '14, 03:14

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I'm assuming a 10Gbe network card with zero packet loss.

Do you know if Wireshark has the option to stream dissected packets directly to disk instead of to the display for post analysis?

(18 Nov '14, 02:47) awl

Wireshark (or dumpcap, to be exact) always streams directly to disk, with a small memory buffer of course. Wireshark just reopens and reads the file written by dumpcap when you start a capture.

(18 Nov '14, 03:26) Jasper ♦♦

More detail:

  • To capture traffic, Wireshark runs a program (part of the Wireshark program suite) called dumpcap, which captures packets, writes them to a file or files, and sends messages back to Wireshark, over a pipe, as packets arrive;
  • Wireshark opens the file to which dumpcap is writing, reads those messages from the packet and, if a message says "N more packets have been written to the file", reads N more packets from the file and displays them.

If you mean "Can I just write the packets to a file without displaying them?", then you can:

  • turn off the "Update list of packets in real time" option when capturing with Wireshark - in that case, Wireshark will not read anything from the file until the capture is stopped, and which point it'll read the entire file;
  • run dumpcap as a command, or run tcpdump (which, currently, will drop fewer packets, at least on some platforms, when writing to a file) with the -w flag, and then, when the capture finishes, read the resulting file in Wireshark.
(19 Nov '14, 16:10) Guy Harris ♦♦