Hi, I'm new to Wireshark and I want to be able to take the measure of our File Server bandwidth utilisation for a possible move into a remote location. So I want to capture (by port miroring) on a week my file server. For testing purpose I start a capture excluding broadcast and multicast packets, in files with a 5 minutes rotation for a couples of hour. My problem is that I will rapidly run out of disk space. What is the best way to measure bandwidth without catching all gigabytes and terabytes data exchange on that server ? Regards, Patrick asked 15 Jun '12, 12:31  JimToupet |
2 Answers:
You should not capture with wireshark or tshark, as they will build internal state while dissecting data. I suggest this:
Regards answered 15 Jun '12, 14:13  Kurt Knochner ♦ edited 16 Jun '12, 01:39 showing 5 of 6 show 1 more comments |
I wouldn't use wireshark for this task. I would use SNMP to read the port statistics of the switch to which the fileserver is connected (or read the WMI stats from the server itself through SNMP). One nice little SNMP tool is STG (freeware) UPDATE: I totally forgot to mention the blogpost I wrote a while ago on how to use STG. answered 16 Jun '12, 04:51  SYN-bit ♦♦ edited 16 Jun '12, 04:53 |
Thanks Kurt and SYN-bit.
Kurt : I forgot to mention that our file server it's an Novell Netware. In our final step of analysis can we say that the Novell NCP protocol load will be equivalent with the SMB Windows load ? We planned to move the server but we change it too from Netware to Windows.
SYN-bit : We already have an SNMP traffic capter setup using PRTG Network Monitor. But one of the remote location admin want a capture without "noise" (broadcast and multicast request).
well, you can differntiate the two protocols in wireshark however you need a different capture filter for NCP!
If you want to know if there will be the same network load after you migrated the server from NCP to SMB. Well, that's a good question. I can't tell you and I don't know a direct comparison of the two protocols regarding performance/bandwidth (which means nothing ;-))
usually netflow/sflow (whatever your switch/router supports) would help to separate protocols (using PRTG as a flow collector). However, that (possibly) won't work with NCP.
BTW: Are you using IPX or IP?
Regarding the bandwitdh/performance comparison of NCP versus SMB. Maybe you can test yourself. Download a set of identical files with both protocols and compare the results in wireshark. You should at least download 3-5 large files (> 10-20 MByte) and a set of small files (50 x 10-20 Kbyte) to get an idea how both protocols work in different scenarios.
We using IP.
In that case, you should consider Netflows. Much easier than any analysis with wireshark!