This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Info monitoring Bandwidth

0

Hi, i have need of monitoring Bandwidth with wireshark. I have activated the sniffing on my pc and I start to transfer the big file (1GB) on the other pc on my network. I have activated the control traffic and I'm monitoring the bandwidth in Statistics -> Conversation The bandwidth is 71 Mbits/s, egual to 8,8 MByte/s, while the network NIC showed 11MByte/s. Which it is true? How Wireshark calculate the Bandwidth? Best regards Riccardo

asked 29 Sep '17, 06:06

Riccardo1987's gravatar image

Riccardo1987
6223
accept rate: 0%


One Answer:

0

I believe (someone may correct me) that Wireshark is only going to be telling you the bandwidth used by the bytes it can see. So if you're capturing IP over Ethernet (a common example) Wireshark normally sees the Ethernet header, the IP header, then whatever payload you've got.

What Wireshark won't see is what the NIC didn't pass up. Sticking with the Ethernet example this means you probably didn't capture the Ethernet FCS (checksum) nor the preamble, start of frame delimiter, nor the inter-packet gap (see Wikipedia's Ethernet frame page for some details).

Your NIC, however, is probably taking all those other fields into account in its count of bytes transmitted/received which then affects the bit rate you see.

Which is true? If my theory is correct I'd say the NIC is more accurate. But I'm not sure I'd say Wireshark is wrong: it would actually be quite hard for it to know for sure that it's really looking at packets captured over Ethernet (as opposed to the many things out there that give Wireshark fake Ethernet headers and the like).

answered 29 Sep '17, 12:59

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Not to forget that capturing locally on a system involved in the transfer isn't usually going to give you exact numbers. For that, an independent, listen-only capture device is required, and the frame drops need to be zero.

(30 Sep '17, 12:46) Jasper ♦♦

Hi, thank you so much. Then, if I'm monitoring bandwidth on my NIC of the firewall with wireshark, i don't consider the results completely correct, it's just?

(02 Oct '17, 00:54) Riccardo1987