This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can Wireshark monitor bandwidth usage per application/process?

0

I'm using Ubuntu 10.04 and I want to monitor and ideally log how much each application/process is uploading and downloading. Something like: Firefox has downloaded 50MB, Transmission has downloaded 500MB and uploaded 300MB, Ubuntu One has uploaded 5MB, etc. A per-session record would do, but actually logging usage to a database/text file would be best.

Can Wireshark do this? (And on Windows?)

Suggestions for alternate tools that do exactly this also welcome :)

asked 15 Sep '10, 05:27

d3vid's gravatar image

d3vid
1112
accept rate: 0%

edited 15 Sep '10, 15:02

2 Answers:

0

You can see this information in Wireshark by clicking on "Statistics" -> "Conversations".

To see traffic between:

  • Two specific hosts look at the "IPv4" or "IPv6" tab.
  • A specific session between two hosts the "TCP" tab.

For all data for a specific host, look at "Statistics" -> "End Points" then look at the tabs as above.

Wireshark may not be the best solution for long term trending of this information however. You may want to look at something like NTop or BandwidthD which may be a better solution. Article with more options here: http://www.ubuntugeek.com/bandwidth-monitoring-tools-for-linux.html

answered 15 Sep '10, 06:19

Peter's gravatar image

Peter
65127
accept rate: 0%

Hmmm, I can pick out particular IP addresses and ports that I know, but not actual applications (e.g. is an HTTP conversation running from Firefox or from Chrome?). Am I missing something? Looking into those other options too, thanks Peter!

(15 Sep '10, 15:00) d3vid

You would have to get the browser version from the 'agent' field in the http packets. Your web server should be able to give you those stats.

(15 Sep '10, 15:05) Peter

Excellent, that solves it for browsers and anything else sending HTTP packets. I guess for other protocols it'll be on a case by case basis.

I've added an answer with tools I've found that address the application/process issue in a more general way.

(15 Sep '10, 15:54) d3vid

0

It looks like one alternative might be NetHogs. Old, Linux-only, shows current traffic not totals, but small, easy to run and does show per-process stats directly. http://nethogs.sourceforge.net/

answered 15 Sep '10, 15:50

d3vid's gravatar image

d3vid
1112
accept rate: 0%

edited 15 Sep '10, 15:55

You might want to follow bug 1184. If it's ever implemented, then this could become possible in Wireshark.

(18 Jun '12, 21:10) cmaynard ♦♦

@cmaynard: regarding your comments to bug 1184:

would it be acceptable (according to the design principles):

  • to have a separate process to retrieve the PID of a process for every new conversation, where at least one ip address is configured on the local system? This may be necessary due to privilege separation. Communication with that process through IPC.
  • that this feature is NOT implemented on every platform. In general: is it required to implement a wireshark feature on EVERY platform. How does a developer handle that, without access to a certain target platform?
  • to extend dumpcap to have this functionality

Regards
Kurt

(18 Jun '12, 23:58) Kurt Knochner ♦

@Kurt, I haven't thought about how this might be implemented at all, so I'm not in a position to provide a meaningful answer here, but if you have some ideas, then perhaps mentioning them in the bug report would be more appropriate, as anyone interested in this who might be following it might have more feedback to offer than myself.

Regarding any requirement that it be implemented on EVERY platform ... I think it SHOULD be implemented on every platform, but at least initially, I don't think it MUST be implemented on every platform.

(19 Jun '12, 07:55) cmaynard ♦♦

O.K. I'll update the bug.

(19 Jun '12, 08:05) Kurt Knochner ♦