Wireshark throughput is less over PIPE

asked 2021-07-01 09:17:33 +0000

updated 2021-07-01 10:51:05 +0000

Hello experts,

On Windows 10 run over a good configuration system (Intel i7, 16 GB RAM), an application is receiving live traffic at 30Mbps which is then relayed/passed on to a 64-bit Wireshark process via a (unnamed) PIPE. Pipe is created by CreatePipe() Win API and tied to Wireshark stdin - a Windows recommended way. Wireshark CPU & RAM consumptions do not indicate overload.

It looks like Wireshark is not able to receive traffic at this rate. In fact, it is able to receive at ~2Mbps only. Some steps tried that have not yielded positive results:

Increase size of pipe from the default size to 512KB to 4MB to 40MB - throughput degraded once the pipe fills up in a few seconds
Tried to flush the pipe using FlushFileBuffers - throughput degraded (https://docs.microsoft.com/en-us/wind...)
Specified a buffer-size to Wireshark using option -B 100 - no improvement
Used hard disk type SSD instead of HDD - no improvement
When we ran a custom program on the other side of the pipe that consumes packets just like Wireshark would (with very less overhead of processing), we are able to pass on traffic at the expected 30 Mbps.

Questions:

Q.1. At what rate Wireshark can receive traffic over a PIPE from other apps?
Q.2. What (settings/parameters/environment) would slow Wireshark down when receiving traffic over PIPE?
Q.3. What configuration/environment/parameters changes of Wireshark or Windows OS can be made improve Wireshark throughput?
Q.4. How does the throughput of Wireshark on Windows receiving traffic over a pipe-to-stdin compare with Wireshark throughput when listening over a network interface?

Regards,
Amit

edit retag flag offensive close merge delete

Comments

Why do you need to have the stream analysed/displayed by wireshark in real time? Either have your capture program write a pcap(ng) file directly or use dumpcap to write to file(s) then analyse the resulting file(s) with wireshark or script tshark to extract the information you need.

Anders ( 2021-07-01 12:31:19 +0000 )edit

Thanks for response.

Wireshark capture packets in real time on network interface as a standard functionality. We wanted to use the same real time capture standard functionality over pipe.

Are there any limitations because of which this cannot be achieved over pipe?

amit_wireshark ( 2021-07-01 12:58:27 +0000 )edit

add a comment

answered 2021-07-01 13:33:21 +0000

JeffMorriss

6396 ●30 ●78

Interesting...

So have you tested how fast Wireshark can capture when not using a pipe? I don't think anyone is going to know the answer to Q.1 or Q.4 - you'd have to try that yourself.

To my knowledge, not a lot of people capture via pipes. Keep in mind that when doing a live capture from a NIC dumpcap does the capture, writes it to a file, and then tells Wireshark/tshark "hey there are more packets in the file for you to read". That's why Anders suggested writing the packets to a file (like dumpcap).

Have you looked at using the ExtCap interface instead?

edit flag offensive delete link

Comments

Thanks for response. We concluded the reading from PIPE by wireshark (over Windows) is much slower than other options. We stopped using PIPE.

amit_wireshark ( 2021-07-14 12:51:30 +0000 )edit

add a comment

Wireshark throughput is less over PIPE

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Wireshark throughput is less over PIPE edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Wireshark throughput is less over PIPE