Hello experts,
On Windows 10 run over a good configuration system (Intel i7, 16 GB RAM), an application is receiving live traffic at 30Mbps which is then relayed/passed on to a 64-bit Wireshark process via a (unnamed) PIPE. Pipe is created by CreatePipe() Win API and tied to Wireshark stdin - a Windows recommended way. Wireshark CPU & RAM consumptions do not indicate overload.
It looks like Wireshark is not able to receive traffic at this rate. In fact, it is able to receive at ~2Mbps only. Some steps tried that have not yielded positive results:
- Increase size of pipe from the default size to 512KB to 4MB to 40MB - throughput degraded once the pipe fills up in a few seconds
- Tried to flush the pipe using FlushFileBuffers - throughput degraded (https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-flushfilebuffers)
- Specified a buffer-size to Wireshark using option -B 100 - no improvement
- Used hard disk type SSD instead of HDD - no improvement
- When we ran a custom program on the other side of the pipe that consumes packets just like Wireshark would (with very less overhead of processing), we are able to pass on traffic at the expected 30 Mbps.
Questions:
Q.1. At what rate Wireshark can
receive traffic over a PIPE from
other apps?
Q.2. What
(settings/parameters/environment)
would slow Wireshark down when
receiving traffic over PIPE?
Q.3. What
configuration/environment/parameters
changes of Wireshark or Windows OS
can be made improve Wireshark
throughput?
Q.4. How does the
throughput of Wireshark on Windows
receiving traffic over a
pipe-to-stdin compare with Wireshark
throughput when listening over a
network interface?
Regards,
Amit
