Wireshark capture buffer not big enough - TCP-IP

This is a discussion on Wireshark capture buffer not big enough - TCP-IP ; Gurus, When you use Wireshark to capture packets to and from your machine to others on the network I heard that it can dump packets because it's buffer may not be big enough to hold all the information. Is this ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Wireshark capture buffer not big enough

  1. Wireshark capture buffer not big enough

    Gurus,

    When you use Wireshark to capture packets to and from your machine to others
    on the network I heard that it can dump packets because it's buffer may not
    be big enough to hold all the information. Is this true?

    --
    Spin


  2. Re: Wireshark capture buffer not big enough

    "Spin" wrote:
    > When you use Wireshark to capture packets to and from your machine to
    > others on the network I heard that it can dump packets because it's
    > buffer may not be big enough to hold all the information. Is this
    > true?


    Wireshark/ethereal packet capture can fall behind and then miss packets
    when the monitored interface sees prolonged periods of saturated wire
    traffic. There are settings you can adjust that may reduce or possibly
    eliminate the frequency of these drops. A fast machine also helps.

  3. Re: Wireshark capture buffer not big enough

    Spin wrote:
    > Gurus,
    >
    > When you use Wireshark to capture packets to and from your machine to others
    > on the network I heard that it can dump packets because it's buffer may not
    > be big enough to hold all the information. Is this true?
    >


    You are generally better off using a sniffer on a system that is not one
    of the connection endpoints.

    To improve performance, you might consider the following:

    The Capture Options permit you to limit the capture depth of each
    packet. Reducing the capture depth should improve performance. In many
    cases a capture depth of 100 bytes is adequate (depending on what you
    are analyzing).

    Automatic scrolling in live capture, and some of the higher-level Name
    Resolution options also introduce a performance penalty.

    Best Regards,
    News Reader

  4. Re: Wireshark capture buffer not big enough

    On Sat, 6 Sep 2008 07:13:38 -0400, Spin wrote:
    > Gurus,
    >
    > When you use Wireshark to capture packets to and from your machine to others
    > on the network I heard that it can dump packets because it's buffer may not
    > be big enough to hold all the information. Is this true?


    Yes, although I'm not sure if it uses a buffer or writes directly to
    disk (and lets the OS do the buffering).

    I always use tcpdump for collecting the data to file. Tcpdump is
    simpler, and may or may not be faster than Wireshark, and may or may
    not have a bigger chance of dropping packets. I have certainly seen it
    miss packets when I tell it to write to a file on a slow file system.

    /Jorgen

    --
    // Jorgen Grahn \X/ snipabacken.se> R'lyeh wgah'nagl fhtagn!

+ Reply to Thread