 | 1 | initial version |
Depends on where and how the Wireshark capture is taken. While you may capture on the machine where the traffic originates/terminates, it is always the best to capture outside it, using port mirroring or similar techniques to copy the traffic to a machine dedicated for capturing. This allows to avoid issues like TCP offloading which may make some packets invisible to the capturing process and like packets missed due to insufficient processing power. On the other hand, if the perfmon is running on the same machine like the capturing process of Wireshark, both should be affected by the same effects.
So capturing by an independent machine outside the monitored one will always tell you the truth. Capturing simultaneously on the machine which is the source&destination of the traffic will allow you to compare the two traces and see how much any of the effects described above affects the accuracy of self-capturing in case of that particular machine.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
