Ask Your Question
0

Is there a way on macOS to tell Wireshark to use more CPU/memory

asked 2019-05-12 20:05:02 +0000

yobyot gravatar image

I'm working on a capture file of about 5.5G, or about 18 minutes of traffic on a local lan. I'm trying to analyze it on a 2019 iMac with a core i9 and 24GB of RAM with a 1TB SSD -- IOW, a machine with plenty of horsepower.

Yet Wireshark seems to be using only trivial amounts of CPU and memory, according to iStat Menus. Is there a way to tell Wireshark to "go to town" and take all it can get from a machine in hopes of speeding performance?

edit retag flag offensive close merge delete

Comments

Yet Wireshark seems to be using only trivial amounts of CPU and memory, according to iStat Menus.

If it's not currently dissecting packets, or running some statistical analysis from the menu, or filtering the packet, or doing some other form of work, it would be a major bug if it were using non-trivial amounts of CPU - it shouldn't burn up the CPU while it's waiting for you to tell it to do something.

Is it even showing trivial amounts of CPU while it's doing some work?

Guy Harris gravatar imageGuy Harris ( 2019-05-12 20:50:05 +0000 )edit

Ah! Good points. I wasn't specific enough. During live capture, adding a filter uses for example, can take 30 to 40 seconds (I was focusing on mDNS in this case). I was hoping that's the kind of operation that could "pin" the CPU. But it doesn't.

yobyot gravatar imageyobyot ( 2019-05-12 20:53:02 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-12 21:13:53 +0000

Guy Harris gravatar image

I was hoping that's the kind of operation that could "pin" the CPU.

As a multiprocessor system, your iMac has 8 CPUs.

Packet dissection is a process that is hard to parallelize so that it can use more than one thread; the dissection of packet N is not necessarily independent of the dissection of packet M, for M < N.

It is not currently parallelized, so it only uses one CPU, and only one of your CPUs could be pinned by the process, so it may not get much above 12.5% of the system's total CPU power.

We've thought some about ways to try to parallelize it, e.g. assigning packets to CPUs based on transport-layer connections to reduce the chances that two packets being dissected in parallel will have dependencies that force dissection of the later packet to stall until dissection of the earlier packet completes, as well as adding dependency checking to stall in the case that there is a dependency between packets from different connections. Unfortunately, the process of identifying the connection to which a packet belongs is part of the dissection process, so this might involve handing packets from one thread to another.

As for memory, saving the full results of dissection if you have enough physical memory (and perhaps discarding it if the system is reporting memory pressure to the application; macOS has mechanisms to do that, other OSes might or might not) might speed up filtering, but so might reducing the amount of dissection done to evaluate a filter.

edit flag offensive delete link more

Comments

Thank you very much for the detailed, informative answer.

This is one reason people love Wireshark: it comes with a knowledgeable, responsive community.

yobyot gravatar imageyobyot ( 2019-05-12 21:23:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-05-12 20:05:02 +0000

Seen: 983 times

Last updated: May 12 '19