This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What doest is mean by "No, really, I have a LOT of traffic"

Would like to know in what kind of environment / requirements to chose NetShark?

I am planning to use Wireshark for 24x7 packet capture.

asked 05 Jul '16, 01:42

WYee's gravatar image

WYee
6112
accept rate: 0%

I don't really know what NetShark is so I will let others answer you who know more about this product.

I can only share that Wireshark is not your tool for 24/7 capture. Due to continuous memory consumption and other risk factors, you won't be happy with long term performance as it will crash. The suggested methods of long term capture are:

tcpdump (typical for a Unix-like system) windump (Windows system) dumpcap (typical for either system with Wireshark installed)

I do my background captures with one of these, then analyze with tshark and Wireshark.

(05 Jul '16, 02:40) Bob Jones

You should be able to get a taste when reading the NetShark pages. Wireshark is a power tool, in its own domain, that is getting to the details of every bit in a packet. That doesn't jive well with prolonged high data rate capture. NetShark is finely tuned to support long term capture, and getting an overview of that traffic, while allowing you to go into depth, when and where needed. More of a top down approach, while Wireshark has more of a bottom up approach, looking at every frame in every detail, then working its way up (to some degree).

permanent link

answered 05 Jul '16, 07:03

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

NetShark is a complete hardware packet capture system, including high-speed disk I/O, leading to a price that is much greater than wireshark.

(05 Jul '16, 07:16) grahamb ♦

... Which also means it can handle a lot more traffic without dropping packets.

If you've got a lot of traffic to capture (large number of packets or bytes per second) then you should do some trials to see if dumpcap or tcpdump can handle the traffic rate with an acceptable (to you) amount of packet drops.

(05 Jul '16, 07:29) JeffMorriss ♦

A "poor man's" Netshark, depending on requirements for historical captures, can also be scripted use of Wireshark's command line utilities. For example you can write a very simple bash or perl script that calls "dumpcap" to capture traffic on a given interface for a given time interval and have it save these timed captures into a directory where each capture is timestamped. You can even create a quick-and-dirty retention policy for capture files with bash's "find" command, piped to an "rm" to delete files that exceed a given age.

From there, many possible (free) bells and whistles can be set up. For example you can do scripted reads against those hourly capture files with tshark -z, to pull all sorts of application-specific counter measurements out of it for analytics.

Now, this is going to depend on requirements. Such a server needs fast disk I/O, potentially a large amount of storage (depending on what you're capturing), not to mention security/auditing of users accessing the captures. Depending on use it may need more interfaces (depending on how you are physically receiving the packet streams you are capturing).

permanent link

answered 05 Jul '16, 14:43

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×21

question asked: 05 Jul '16, 01:42

question was seen: 5,791 times

last updated: 05 Jul '16, 14:43

p​o​w​e​r​e​d by O​S​Q​A