Hi
I have setup port mirroring on my 24-port Netgear switch so that I can see the traffic between the ingress WAN and egress WAN that goes towards my OpenWrt router. The mirroring switch mirroring port is connected to a spare NIC in my PC where I can see all of the traffic for the selected network interface.
When Wireshark is open and I carryout a WAN speed test with Ookla SPEEDTEST on any device on the network for example, the Wireshark software freezes up no matter how much I narrow down the packets displayed using the display filters. My question is, is this normal or am I just trying to view too many packets at once and my computer can't keep up in real-time?
Whilst Wireshark is being unresponsive, the device performing the speed test suffers to reach full speeds. I hear of people using tcpdump across many IT forums but never looked at it. I take it it creates a full dump of the network for a specified capturing timeframe, and then you import the data into Wireshark to filter the data as though it's realtime traffic?
Is this the approach I shouldn't be taking to eliminate Wireshark crashes and severe network saturation? Also from the title of tcpdump, does it capture more than the TCP protocol despite the name?
Many thanks
Will
