Performance

Performance

Some tips to fine tune Wireshark's performance.

There are two main topics where performance currently is an issue: large capture files and packet drops while capturing.

Working with large capture files

If you have a large capture file e.g. > 100MB, Wireshark will become slow while loading, filtering and alike actions.

There are some things you can do, but unfortunately this will remove some decoding comfort:

Disabling some preference settings may save you a lot of memory consumption. Be aware that these features are probably required to detect the packets properly that you want to capture. So maybe you miss packets that are missinterpreted.

You can check if that's the case, by loading a capture file, setting a display filter of the packet types in question and see if the number of displayed packets are the same with and without these settings. You may need to reload the file after changing the settings (and don't forget to press the "Save" button :-).

Some good preference setting candidates:

Display system overview

If the above hints didn't help, you may need to advance your machine. To do this, the following gives some insights which parts are worth looking at.

A simplified look at the display system:

harddisk -> packet dissection -> display filter / coloring rule -> display

The things that may help: Add more physical RAM and use a faster CPU (multi core CPU's won't help a lot, the dissection is done in a single task)

Packet drops while capturing

After you've finished a capture, you've noticed packet drops, indicated by the statusbar counter.

What has happened? Not all packets coming in from the network could be saved into the capture file. As your machine was too slow to handle the incoming packet rate some packets had to be discarded.

General considerations:

Optimized Wireshark settings:

Capturing system overview

If the above hints didn't help, you may need to advance your machine. To do this, the following gives some insights which parts are worth looking at.

A simplified look at the capturing system:

network card -> libpcap(capture filter) -> capture tool -> harddisk

The amount of memory isn't really critical for capturing.

Of course, the system itself should be reasonable configured, e.g. a very fast CPU doesn't make real sense with only very limited RAM.


Imported from https://wiki.wireshark.org/Performance on 2020-08-11 23:17:53 UTC