I compared performance of WireShark, latest version, on a very powerful Mac to a reasonable Dell Windows 11 computer.
I obtained a 2.3GB .pcapng file for analysis. It was provided by a client experiencing a packet storm. Here are the results of loading the file, running the Expert Analysis, and obtaining the IPv4 Endpoint table:
- MacBook Pro, 96G, M2Max: 11 hours 45 minutes
- Dell Inspiron: 31 seconds
Due to the ridiculous difference in performance, I wiped Wireshark from the powerful Mac and reinstalled from scratch. Opened the .pcapng file again and ran the same tests. Results were basically the same. (Yes, this took two days to finish)
Any idea what is wrong with the Arm64 code for Wireshark? I"ve benchmarked this Mac against the Dell laptop in every other application and it has always been faster, sometimes 2-4x faster. Wireshark on the Mac appears to be 1,364 times SLOWER.
Watching this pathetic load and analysis operation it looks like the Mac version of the code loads a few packets recalculates everything, then loads a few more packets. This is based on the spinning beachball of death which appears, then the statistics screen updates with perhaps a hundred more packets analyzed, then repeats indefinitely.
On the other hand, in WIndows, it appears Wireshark loads everything, runs a single analysis, and finishes promptly.
Not sure if that observation matches what is happening, as I would assume the source code base is the same and Wireshark merely compiles to different target architectures.
Any Wireshark-on-Mac experts out there who can shed light on this massive performance difference?