This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does wireshark support capturing traffic at 10GB?

0

I want to know that the wireshark support 10Gb interface data traffic .If not can i have any way to extend wireshark to support 10G.plesae respond as soon as possible.

Thank you

asked 19 Feb '16, 03:32

rathnaTech's gravatar image

rathnaTech
31348
accept rate: 0%

edited 14 Aug '16, 10:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

2

Wireshark run on a normal PC won't be able to support full rate 10GB traffic. In my local experiments it can't even support full rate 1GB traffic, lots of packet drops.

To capture at that rate you're probably looking at a specialized capture appliance, e.g. Steelhead Netshark.

answered 19 Feb '16, 04:08

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you for your response grahamb, i agree with u. Is there any other libraries(like wireshark) that support 10G traffic capture .

(19 Feb '16, 04:18) rathnaTech

Wireshark works with 10Gb ethernet cards, the thing is the traffic rate. Most probably you don't want to save saturated 10Gbit link traffic to file any way as it would produce a huge amount of data and if you do you probably will have to look for comersial solutions with custom HW and lots of disk strorage.

(19 Feb '16, 04:23) Anders ♦

You can use special capture NICs that support capture filters to reduce the amount of traffic being written to disk, e.g. from Napatech, Accolade Technology or Fiberblaze

(19 Feb '16, 05:52) Jasper ♦♦

In my local experiments it can't even support full rate 1GB traffic, lots of packet drops.

Have you tried capturing with tcpdump instead? In at least some experiments on Linux a while ago (done by the person who did the TPACKET_V3 support for libpcap), tcpdump run with the -w flag dropped fewer packets than dumpcap.

(14 Aug '16, 10:37) Guy Harris ♦♦

0

I used wireshark on a PC in 2013 to capture full 10Gb/s traffic (Windows 7 I think). The trick was to capture only to RAM -- increase the capture buffer, stop when it is full, use best capture filters, use best NIC driver.

Noam Cohen

answered 14 Aug '16, 01:49

noam's gravatar image

noam
61
accept rate: 0%

It's more a question of whether your hard disk can write as fast as 10Gbps. If it cannot, you will get a lot of dropped packets waiting to be written out to disk!

Semiconductor hard disks or RAM disks are usually required to capture at that speed.

FWIW

(14 Aug '16, 06:21) wbenton