On Sat, Feb 9, 2008 at 12:27 PM, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> ronnie sahlberg schrieb:
> > Personal first hand experience.
> >
> SCNR to ask your motivations ;-)
>
> > I have tested this myself on several PCs and compared. The same host,
> > the same capture file, the same preferences using the same SVN version
> > of wireshark
> > it ran 2+ times faster when booting into linux than w2k and w2k3.
> > Bear in mind, the tests were all for semi large capture files in the
> > range 10-200MByte and testing how long it takes to load a trace, how
> > long it takes to filter a trace, how long it takes to bring up the tcp
> > sequence number graph.
> > I think it was something like 5-6 different single and multi cpu systems.
> > (multiprocessing is a bit pointless with wireshark)
> >
> Well, while *capturing*, the capture and display tasks could run on two
> different CPU's - however, I've never checked if they really do ;-)
This use case was for people that would never capture. only download
existing captures from a central repository for post capture analysis.
>
> > The purpose was to find which hw+sw config would perform the fastest a
> > large group of users that would spend significant amount of time
> > looking at and filtering and analyzing 100MB - 1GByte large capture
> > files. I dont care what systems the end users would end up using,
> > they just wanted to know :
> > "which hw+sw combination should we use to make analyzing/filtering of
> > large captures as fast as possible".
> >
> Right! And I don't have any problems with your recommendation as you
> have tested it :-)
>
> > That is probably an effect of linux having wastly better memory
> > management than windows.
> >
> Oh, come on! Please don't spread FUD just as Microsoft does!!!
>
> Simply stating that Wireshark is 2+ times faster on Linux than on
> Windows, so this is probably caused by worse memory management on
> Windows is just FUD. Keep in mind that the libraries used to run
> Wireshark/tshark all have their origins in the "Unix world", so they're
> probably optimized here and ported more or less well to the Windows
> platform. For example, GTK+ is running "almost natively" on X
> (basically it was build as a replacement for motif) and was much later
> ported to Windows. Therefore it's just very likely that GTK+ is running
> faster on Linux than on Windows.
>
> Following the same argumentation, using a fast commercial analyzer
> (highly optimized for) Windows compared to Wireshark would clearly state
> the superior Windows platform ...
>
Yes your right.
WHY linux+wireshark is/was faster than windows+wireshark is unknown.
It just is/was.
The larger the capture file is/was the greater the difference is/was.