I want to know that the wireshark support 10Gb interface data traffic .If not can i have any way to extend wireshark to support 10G.plesae respond as soon as possible. Thank you asked 19 Feb '16, 03:32 rathnaTech edited 14 Aug '16, 10:36 Guy Harris ♦♦ |
2 Answers:
Wireshark run on a normal PC won't be able to support full rate 10GB traffic. In my local experiments it can't even support full rate 1GB traffic, lots of packet drops. To capture at that rate you're probably looking at a specialized capture appliance, e.g. Steelhead Netshark. answered 19 Feb '16, 04:08 grahamb ♦ |
I used wireshark on a PC in 2013 to capture full 10Gb/s traffic (Windows 7 I think). The trick was to capture only to RAM -- increase the capture buffer, stop when it is full, use best capture filters, use best NIC driver. Noam Cohen answered 14 Aug '16, 01:49 noam It's more a question of whether your hard disk can write as fast as 10Gbps. If it cannot, you will get a lot of dropped packets waiting to be written out to disk! Semiconductor hard disks or RAM disks are usually required to capture at that speed. FWIW (14 Aug '16, 06:21) wbenton |
Thank you for your response grahamb, i agree with u. Is there any other libraries(like wireshark) that support 10G traffic capture .
Wireshark works with 10Gb ethernet cards, the thing is the traffic rate. Most probably you don't want to save saturated 10Gbit link traffic to file any way as it would produce a huge amount of data and if you do you probably will have to look for comersial solutions with custom HW and lots of disk strorage.
You can use special capture NICs that support capture filters to reduce the amount of traffic being written to disk, e.g. from Napatech, Accolade Technology or Fiberblaze
Have you tried capturing with tcpdump instead? In at least some experiments on Linux a while ago (done by the person who did the TPACKET_V3 support for libpcap), tcpdump run with the
-w
flag dropped fewer packets than dumpcap.