This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

about the capacity of wireshark, so many packets drop

0

I have met some problem with wireshark. my situation is i have a good IBM server,the server's configuration is below:

CPU: 4 core, xeon 7500, 2.0GHz
disk: 10000RPM  600GBytes
RAM: 32GBytes
Ethernet ports:  1 Gigabit
the version of wireshark: 1.6 64bits
the OS : Windows 2008 R2

the flow of my data is 250Mbps more or less, but when i collect the date for one hour, the size of the date collected is just only 95GBytes. So there are about 14Gbytes drop.

So, who can tell me why , and give me a solution, thanks a lot.

asked 08 Mar '12, 19:16

anew_flyfree's gravatar image

anew_flyfree
1111
accept rate: 0%

edited 08 Mar '12, 23:56

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


One Answer:

1

First thing to do is try the dumpcap utility: its job is to simply capture packets and do it quickly. It doesn't have all the overhead of the GUI.

Increasing the capture buffer size (with dumpcap's "-B" command-line argument) may also help.

If that doesn't help (enough), which I suppose may be the case if you're really talking 250 Mbps, you may need to look into some commercial solutions. Riverbed sponsors Wireshark and also makes products which complement it: for example dealing with high-speed and long-term capturing.

answered 09 Mar '12, 06:50

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%