This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark dissector profiling

1

I want to write an SCTP dissector in C and in Lua, respectively, and record the time they need to dissect the protocol. Then, I can make a comparison. However, I do not know how to get the time of dissecting a packet. Is there any API or other ways to do this? Thanks a lot~

asked 29 Sep '11, 19:13

dingding0743's gravatar image

dingding0743
16224
accept rate: 0%

edited 29 Sep '11, 20:17

helloworld's gravatar image

helloworld
3.1k42041

Great question. It's well known, that scipted language is slower. But it's worth to know how worse the performance can be. There is no API for profiling. This would be difficult to tell the time per dissector since one dissector calls the other. One approach could be a unit tester. I build such a thing running tshark with synthetic capture data. The problem is that invoking the tshark process makes a lot of time in comparision to the actual dissection.

(08 Oct '11, 08:26) harper

Thank you very much!

(12 Oct '11, 18:44) dingding0743

One Answer:

1

All things being equal, the C dissector will always outperform the Lua one. This is generally true when comparing a program written in C (compiled) to an equivalent in a scripting language (interpreted).

That said, it could be interesting to see the difference in the context of Wireshark.

One quick-and-dirty (and non-exact) way is to create a large pcap of duplicate SCTP packets (e.g., 1000000 packets), and open the pcap with tshark using the C dissector alone (w/o the Lua equivalent) and then Lua alone. Use the Linux time command to get statistics about the run. For example:

$ time tshark -r huge.pcap
[...]
real    0m0.###s
user    0m0.###s
sys 0m0.###s

$ time tshark -r huge.pcap -Xlua_script:sctp.lua […] real 0m0.###s user 0m0.###s sys 0m0.###s

You might also want to try GNU gprof.

answered 29 Sep ‘11, 21:12

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

Thank you very much, I will try the tshark

(12 Oct ‘11, 18:43) dingding0743