This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

the peak of network flow rate that wireshark can deal with

0
1

I am wondering what is the peak of network flow rate that wireshark can deal with. Is it 1Gbps or 10Gbps? I need a answer. Thank you.

asked 18 Oct '10, 01:37

jerrylin's gravatar image

jerrylin
1122
accept rate: 0%

edited 07 Feb '16, 05:37

Christian_R's gravatar image

Christian_R
1.8k2625


2 Answers:

4

I think it's mostly a hardware issue, and specifically how fast the data can be transported and written from the NIC PHY to the storage system. I would strongly recommend using PCI Express NICs (PCI-X or PCI are too slow for anything above 2-3 hundred MBit/s), and going for the fastest hard drives in a fast RAID setup (meaning: NOT RAID 5 or any other RAID level writing CRCs). I usually prefer RAID 10, but it can get quite expensive. I built a box once, using the Cacetech TurboCAP card on a XEON Quad Core with 8 300G Velociraptor SAS drives running on an ICP Vortex/Adaptec RAID card as RAID 10, and it had no trouble capturing 1G/s with zero packet drops and full packet size captured.

I did a test once, capturing a link providing 1GBit/s sustained traffic with a Core2Duo Laptop (2-3 years old) with a 4Gig of RAM, one 7200 2.5 SATA drive and a PCI-E Gigabit NIC. I had about 80% packet drops. After tuning Wireshark various capture settings I got down to 0% packet drops, but it required heavy frame slicing down to 64 bytes in the end, which is not applicable in all capture situations.

answered 19 Oct '10, 16:20

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

2

That all depends on:

  • Your network interface
  • Your storage subsystem
  • Your processing platform

You could take a look at Cace Technologies website for high rate capture solutions.

answered 18 Oct '10, 09:36

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Is that means wireshark can capture and analyse network flow at any rate if the hardware condition allows? The bottleneck is the hardware? For example, if the network flow rate is 10Gbps, the hardware is extremely strong(Intel(R) Xeon(R) CPU L5420, 8GB, 2TB), the platform is linux, can wireshark work with the rate normally?

(18 Oct '10, 19:36) jerrylin

It still depends - what kind of NIC are you using? Is it CPU dependent? What else is running on the box? Are you monitoring via SPAN or a tap? Are you running a full 10Gpbs?

(19 Oct '10, 07:40) GeonJay