Wireshark-users: Re: [Wireshark-users] Capture machine spec?

From: "Richard Bejtlich" <taosecurity@xxxxxxxxx>
Date: Tue, 20 Jun 2006 08:48:28 -0400
David Meagher wrote:

Hi,
I've been tasked with spec'ing a capture analysis machine.
It will be used to do analysis of multiple 500mb capture's.

Can some one suggest a spec for a desktop pc to view these on?
Is ram more of an issue than CPU, or perhaps a sata/raid storage?

Hi David,

You might want to take another look at this problem.  I've loved using
Ethereal for about 7 years, but sometimes it's not the right tool for
the job.  This is especially true when large traces are involved.

I wrote the article "Structured Traffic Analysis" to address how I
analyze traces:

http://www.insecuremagazine.com/INSECURE-Mag-4.pdf

The idea behind STA is to discover traffic of interest without taking
a packet-by-packet approach.  Once you use other data to identify
specific packets you want to inspect, then you load a subset of that
traffic into Ethereal/Wireshark.

I never, ever load large traces into Ethereal/Wireshark.  That allows
me to analyze just about anything that truly matters on my PIII 750
MHz / 512 MB RAM laptop.

Sincerely,

Richard
http://www.taosecurity.com

PS: I do plan to finally upgrade the laptop this year.  I still won't
load large traces, though.  :)