This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

WireShark vs NetShark

0

What doest is mean by "No, really, I have a LOT of traffic"

Would like to know in what kind of environment / requirements to chose NetShark?

I am planning to use Wireshark for 24x7 packet capture.

asked 05 Jul '16, 01:42

WYee's gravatar image

WYee
6112
accept rate: 0%

I don't really know what NetShark is so I will let others answer you who know more about this product.

I can only share that Wireshark is not your tool for 24/7 capture. Due to continuous memory consumption and other risk factors, you won't be happy with long term performance as it will crash. The suggested methods of long term capture are:

tcpdump (typical for a Unix-like system) windump (Windows system) dumpcap (typical for either system with Wireshark installed)

I do my background captures with one of these, then analyze with tshark and Wireshark.

(05 Jul '16, 02:40) Bob Jones

2 Answers:

0

You should be able to get a taste when reading the NetShark pages. Wireshark is a power tool, in its own domain, that is getting to the details of every bit in a packet. That doesn't jive well with prolonged high data rate capture. NetShark is finely tuned to support long term capture, and getting an overview of that traffic, while allowing you to go into depth, when and where needed. More of a top down approach, while Wireshark has more of a bottom up approach, looking at every frame in every detail, then working its way up (to some degree).

answered 05 Jul '16, 07:03

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

NetShark is a complete hardware packet capture system, including high-speed disk I/O, leading to a price that is much greater than wireshark.

(05 Jul '16, 07:16) grahamb ♦

... Which also means it can handle a lot more traffic without dropping packets.

If you've got a lot of traffic to capture (large number of packets or bytes per second) then you should do some trials to see if dumpcap or tcpdump can handle the traffic rate with an acceptable (to you) amount of packet drops.

(05 Jul '16, 07:29) JeffMorriss ♦

0

A "poor man's" Netshark, depending on requirements for historical captures, can also be scripted use of Wireshark's command line utilities. For example you can write a very simple bash or perl script that calls "dumpcap" to capture traffic on a given interface for a given time interval and have it save these timed captures into a directory where each capture is timestamped. You can even create a quick-and-dirty retention policy for capture files with bash's "find" command, piped to an "rm" to delete files that exceed a given age.

From there, many possible (free) bells and whistles can be set up. For example you can do scripted reads against those hourly capture files with tshark -z, to pull all sorts of application-specific counter measurements out of it for analytics.

Now, this is going to depend on requirements. Such a server needs fast disk I/O, potentially a large amount of storage (depending on what you're capturing), not to mention security/auditing of users accessing the captures. Depending on use it may need more interfaces (depending on how you are physically receiving the packet streams you are capturing).

answered 05 Jul '16, 14:43

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%