hi expert, we are in situation where we have to capture around 5 gig of traffic. we are going to build out VM and install wireshark package on it. using dumpcap, we plan to capture traffic and later analyze with wireshark. can anyone has doc which can steps through me how to setup capture using dumpcap on vm. Thanks This question is marked "community wiki". asked 18 Nov '15, 11:35  Anush |
One Answer:
I doubt that this will work, because if you want to capture the full frame size, your VM would have to write 500 Mbyte/s. If you want to capture only the first 100 bytes, it would much less than that, but then you can't look very deep into the frames. Furthermore, putting such a high network IO load on a VM might lead to dropped frames in the vSwitch, so you won't see those frames in the capture file. And finally, do you have a spare 10 Gig port on the Switch and on the VM host to capture 5 Gig/s? If not, it's going to become hard, because if you flood the productive VM host interface with the mirrored traffic as well, it could easily lead to an oversubscribing of that link. There is nothing special you have to do to run dumcap in a VM. You just need an OS that offers Wireshark/dumpcap. So, Linux and Windows are good candidate. The problem will be network IO load for your VM host and disk IO load to write the pcap file. But hey, give it a try. Maybe it works. Regards answered 19 Nov '15, 09:20  Kurt Knochner ♦ Thanks Kurt for this explanation. I spoke to server guy and he said VM will use 10 gig pipe through the ESX host so he is not expecting any issue there. for writing disk, we will get 1 TB hard drive. and yes ESX host get connected to 10gig port on switch. I will keep you posted how it goes. Thanks (19 Nov '15, 11:37) Anush
it's not about the size of the disk. It's about the write speed! Size comes later, if you need to run the capture for a longer period. Would be interesting to know how this works and/or if it works at all. Please keep in mind: If you see signs for packet loss in the resulting capture file, it could be caused by the capturing systems inability to capture and write all frames and not due to real packet loss on the network!! (19 Nov '15, 11:50) Kurt Knochner ♦ |
Is that 5 Gig/s or 5 Gig in total? Any why do you want to do the capturing in a VM??
it's 5 Gig/s. we don't have any network capturing tool which can capture that much rate of data. so we decided to setup VM on existing esx host and install wireshark on it and do the capture using dumpcap. ESX host is directly connected to the network switch. we will configure the switch to capture the traffic on interested interface and send that stream to interface where ESX host is connected.
Thanks