This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Start a continuous tcpdump every 30 Minutes (Performance wise)

0

Dears, I'm having HP proliant Gen 9 server with 32G memory and I'm using CentOS 7, performance wise is it okay to start a continuous tcpdump on that server every 30 Minutes as well as after the file is ready i will do some analysis on it using tshark? Is that will affect the performance of the server? taking into considerations that I will use delete jobs to delete files older than two days because of storage limitations.

asked 09 Feb '17, 04:18

MYK's gravatar image

MYK
6112
accept rate: 0%


One Answer:

0

You might as well use dumpcap (the capture engine of Wireshark/Tshark) directly instead of tcpdump if you are not interested in real-time dissection. This just writes out the file (without dissection, but allows for capture filtering, just as tcpdump) so should be suitable for your use case. Generated load depends on network traffic density and disk IO performance.

answered 09 Feb '17, 07:44

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

We've found that the impact on CPU of tcpdump and dumpcap is minimal- you probably wouldn't even be able to measure it. Memory usage depends on the buffer setting for dumpcap and it's very small for tcpdump.

It's disk that gets hit hard. So the best thing to do is direct the output to a "quiet" or dedicated disk - we sometimes use USB disks wbich work well.

There's quite a lot of info on this subject in the Network Trace Capture section of the TribeLab site - see https://community.tribelab.com/course/view.php?id=10

(11 Feb '17, 00:03) PaulOfford