Wireshark-users: Re: [Wireshark-users] gigabit ethernet capture

From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Mon, 6 Nov 2006 11:06:10 -0500
Sam,

When you capture on a high speed network, try using dumpcap instead Wireshark for the actual packet capture.  Dumpcap comes with Wireshark but just captures packets.  It should be in your Wireshark install directory.  I learned this from someone else on the list.  My experience has been that dumpcap does a much better job of just capturing packets then Wireshark (which tries to interpret them).  On a slow network it doesn't matter.  However, when I have done wire speed 100Mbps captures, my experience was that Wireshark could not keep up with a live 100Mbps wire speed capture (my laptop ran out of CPU power), while dumpcap had no trouble at all.

Second of all, I do not believe a general PC can do wire speed gigabit captures.  For one thing, I believe the bus bandwidth for your Gigabit card is around a gigabit.  My understanding is that a general PC/laptop has a 32 bit, 33MHz PCI bus - 32 bits * 33.33 MHz = just over 1Gbps.  That means that to do wire speed captures, your PCI NIC would have to be able to use 100% of the PCI bus bandwidth non-stop - which I do not believe is possible.  I believe to do wire speed gigabit captures, you would want something like a high end server/desktop with a PCI-X bus or PCI Express and a high speed Intel NIC of the same bus type.  You'd probably also want a fast Xeon CPU and a disk array - you wouldn't believe how fast wire speed gigabit captures fill up disk space...  :-)

Of course, you can still do captures, I just suspect that you will drop some packets.

--Jim

________________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Samuel Deckard
Sent: Monday, November 06, 2006 10:46 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] gigabit ethernet capture


Hi all, 
I'm new to the users mailing list and have had limited experience with Ethereal/WireShark. Most of my experience has been with tracing 10/100 mb. ethernet. 
I've had a couple of requests to trace a wired gigabit network. I'm using an IBM Thinkpad T42. It's a 1.7 Ghz Pentium M running Windows XP. It has a built in  Intel Pro/1000 MT Mobile Connection  ethernet adapter. Has anyone traced gigabit  ethernet on a laptop? How fast of a machine is required? Any tips you could share with me would be appreciated. 

                                                                Thanks
                                                            Sam Deckard