On Mon, 16 Feb 2004, Tan ChaurLih wrote:
> Hi All,
>
> I'm currently using Ethereal to analyse logs which are collected on my
> home network. As I leave tcpdump running for extended periods (close to 24
> hours per log), the captures end up to about 200+MB easily.
I tend to deal with large files as well. 300+ MB is not unusual as I
capture from GigE.
> Since I need to filter for various protocol parameters regularly when
> auditing the traffic, I find Ethereal a pain as I have to wait quite a
> while, even on a P4 2.8GHz with 128MB of RAM, for ALL the packets to be
> dissected and then filtered. I was wondering if it was possible to cache
> the results of all packet dissection in memory or an external file and index
> it, avoiding the penalty of re-dissection on a change in filter expression.
> Of course, there would be situations where packet dissection must happen all
> over again (for example, changing some preferences), but for the most case,
> the re-dissection is due to filtering.
We recently went through an exercise to improve the speed of Ethereal.
What version are you using? 0.10.0a is a lot faster.
> As I am currently a student with a rather light workload, and I'm
> interested in software development, I wonder if it's feasible for me to
> modify Ethereal to do this and then integrate the changes back. Being a
> newbie on the mailing list here, I would like to ask for the kind advice of
> the more established members =) .
Build a profiled version of Ethereal and then measure the cost using gprof
to see where Ethereal is spending most of its time.
Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com