Ask Your Question

Am I able to use wireshark to observe large (10G) traffic congestion?

asked 2018-01-25 16:43:28 +0000

We are trying to find out if we are overloading our switch traffic.

Is wireshark an appropriate tool for this? I'm not looking for a full tutorial, just a yes or no, and maybe a few tips related to this specific issue.

Thank youuuuu


edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-01-25 17:16:53 +0000

sindy gravatar image

Wireshark can help you with analysis but you would need some special hardware to capture such traffic volumes.

What do you mean by switch overload is another question. I would look at port statistics of the switch at first. The switching fabric is designed to deal mostly with unicast traffic (one going between two ports of a switch) and only a small share is expected to be a native or enforced multicast. If your actual traffic contains too much multicast, you can exceed the fabric capacity, causing packets to be lost, or you can exceed the available bandwidth of the egress ports if the fabric handles more. If too much traffic, even unicast one, from several ingress ports is sent out via a single egress port, you'll get an overload (packet loss) of that port as well. And packet loss due to insufficient bandwidth should be visible in the port statistics.

So a mere ping between two connected devices should tell you whether you overload the switch (or at least one of its ports participating in the test) or not; to find out why that happens is a different story.

Some redundancy techniques build on the fact that a switch multicasts frames for a given MAC address until it gets a frame from that MAC address. Again, the switch should be able to tell you which MAC addresses have been seen which match no particular port; you can see from the MAC value whether it is a multicast one or whether it is one of those reserved for that redundancy techniques.

edit flag offensive delete link more


Short and sweet: No. Wireshark is like a microscope, capable to look at every individual bit of the network traffic. Would you use a microscope to measure the flow in a river? Probably not. The only serious way to look into these kinds of problems is analysis of the port statistics, just like @sindy says.

Jaap gravatar imageJaap ( 2018-01-25 18:21:04 +0000 )edit

Thank you very much you two.

I tried digging a little to find the port statistics, can you give me an example of where I can find this? (doesn't matter what brand, I should be able to figure it out on the other ones based off one example).

pondhop gravatar imagepondhop ( 2018-01-25 19:37:00 +0000 )edit

Not really, different manufacturers use very different approaches to configuration and monitoring, from pure command line (show interface xxxx detail) through text menus where you move using arrows and enter to clickable web GUIs. Often "configuration" and "monitoring" get separated somewhere early in the tree. So you are looking for "monitoring" or "supervision" or "state" of physical interfaces. I've even seen "dashboard".

sindy gravatar imagesindy ( 2018-01-25 21:34:16 +0000 )edit

answered 2018-01-26 10:31:07 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hi Brandon,

For packet capture, you can do it even with comodity HW, but you need to use PF_RING which bypass Linux kernel. With PF_RING, you can capture with Wireshark whole traffic on 10GE interface. Just google for PF_RING and compiling tshark with this option. You can use it with standard Intel NIC. I recommend to write data to ramdisk to preserve HDD write speed limitation.

Once you get the packets, you should check packet loss, retransmissions, RTT and so on. For this, I highly recommend Laura Chappells Wireshark training.

All the best.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-01-25 16:43:28 +0000

Seen: 70 times

Last updated: Jan 26