Hi, In wireshark opening a pcap and displaying some IE is much faster than exporting the very same info. What is the difference? Tshark export is also slow. Thanks PeterK asked 08 Dec '14, 08:26 PeterK |
One Answer:
It probably makes a difference. pcapng files are compressed while pcap is not. My experience is, that reading a compressed file (not necessarily pcapng) is usually way faster than writing/creating a compressed file, especially if the files are large enough the experience any delay. I'm not sure if that's the same for all compression algortihms, but it's certainly true for some of them. My test with 7-Zip shows a factor of ~3 between compression (13 seconds) and decompression (4 seconds) of the same file. The test was repeated several times to eliminate file system caching. Regards answered 09 Dec '14, 07:12 Kurt Knochner ♦ edited 09 Dec '14, 07:14 Pcap-ng files are not compressed by default. (09 Dec '14, 07:17) Anders ♦ I thought they were, but you are right, they are not. Strange, who/what planted that idea into my mind? (09 Dec '14, 07:38) Kurt Knochner ♦ |
some questions:
Hi Kurt,
The following config is used: -Windows Server 2003 R2 Enterprise x64 SP2 -WS 1.12.0 (v1.12.0-0-g4fab41a from master-1.12) -Everything is processed locally -Opening in Wireshark takes 10 sec, exporting/tshark takes 60 sec -It is LTE S1 capture and unfortunatelly not authorised to share it publicly
I think the 1:6 speed difference is interesting. What I noticed that exporting/Tshark does not care how many IE gets exported, 1 or 100 it is the same speed. The Tshark command line is like this:
tshark.exe -n -r "s1_pcap" -2 -d sctp.ppi==18,s1ap -R "s1ap" -e frame.time_epoch -e ip.src -e ip.dst -e s1ap.procedureCode -e s1ap.tAC -e s1ap.cell_ID ...
-T fields -E separator=/t -E quote=n -E header=y -E occurrence=a >"s1_csv"
Thank you, Peter
If Wireshark is all ready started all the initialasions are allready done. Tshark has to do that before starting to read the file. How long does it take Wireshark to load the file if you start it from the command line? wireshark.exe "s1_pcap" or wireshark.exe -R "s1ap"
Hi Anders,
In fact it is the same time, becuase I am opening the capture via extension assocation, so Wireshark starts from scratch. Just realised that talking about pcapng not pcap if that makes any difference...
Best regards, Peter
Then it might be the filtering, try starting WS from the command line with the filter...