[Winpcap-users] Can winpcap capture that fast?

Gianluca Varenni gianluca.varenni at cacetech.com
Fri May 2 23:03:38 GMT 2008 

Well... Wireshark is slow at capturing on high speed networks (i.e. it cannot keep up), but dumpcap is definitely fast. As a matter of fact, dumpcat is extremely tiny, and just dumps the packets to disk without any whatsoever processing. In the case of dumpcap, the bottleneck is the disk. You said that you were able to capture 900mbps to file (I suppose the whole packet) over a long period of time. Where you using RAID or just a normal disk?

Have a nice day
GV
  ----- Original Message ----- 
  From: Tom Gibson 
  To: winpcap-users at winpcap.org 
  Sent: Wednesday, April 30, 2008 4:55 PM
  Subject: RE: [Winpcap-users] Can winpcap capture that fast?


  I was pleasantly surprised how fast it is.  I had good results using the cmd line tool that comes in wireshark's program folder (dumpcap I think it was).  I was able to capture 900mbp/s to a file over a long period of time.  I just set my buffer high and it worked.  When capturing a lot (100's of gigs) I found I needed to record to multiple files otherwise it would start dropping packets.  This was on a Quadcore system (I'm guessing a dual core would have worked about the same) with a 4 drive raid0 array.  Note though, this was network data where almost all of the packets were ~1500 bytes.  Also the NIC / driver you use could make a real difference at high speeds.  Intel looks like they have a good driver, but I haven't done testing with other NICs to compare. 

   

  Tom

   


------------------------------------------------------------------------------

  From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
  Sent: Wednesday, April 30, 2008 3:02 PM
  To: winpcap-users at winpcap.org
  Subject: Re: [Winpcap-users] Can winpcap capture that fast?

   

  It all depends on what you are doing in your application. Forget about using wireshark for high performance capture. It's *not* the right tool. In case of high speed networks, the solutions are usually

  - having your custom application that analyzes the packets -or-

  - dumping packets to disk using HW RAID in striping mode.

   

  Hope it helps

  GV

   

    ----- Original Message ----- 

    From: Voora, Srinivas 

    To: winpcap-users at winpcap.org 

    Sent: Wednesday, April 30, 2008 5:49 AM

    Subject: RE: [Winpcap-users] Can winpcap capture that fast?

     

    We have see happening with our application as well with the Wire shark. After hitting 20000 packet/sec it becomes kind of stagnant. There is a site recently we were able to handle 80000 packets/sec on gigabit port. I did not have a chance to see what the difference was. 

     

    -----Original Message-----
    From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Zafer SAVAS
    Sent: Wednesday, April 30, 2008 5:58 AM
    To: winpcap-users at winpcap.org
    Subject: YNT: [Winpcap-users] Can winpcap capture that fast?

     

    Hello Ian and Gianluca,

    Thanks for the replies. Here is the summary for what I have done after your responses:

    - I have built a win32 application with visual C++ and listened for the incoming packet. The code segment for listening is just a for while loop with pcap_next_ex() function and when a packet arrives a counter is incremented. Thats all, no displaying or saving to disk. As a result only 20K of the packets are captured. 

    Again I am able to see that about 400.000 packets are received on the LAN status window in the system tray which means the NIC has captured them succesfully, but I can capture very small amount of it.

     

    I am really suprised that only small amount of the packets are captured by the driver?

    Do you have any other suggestions? or has some ever tried to capture large amount of packets/second (e.g : 60K packets/sec) using winpcap?

     

    Best Regards

    Zafer SAVAS

     


----------------------------------------------------------------------------

    Kimden: Ian Hawley
    Gönderilmiş: Sal 29.04.2008 19:26
    Kime: winpcap-users at winpcap.org
    Konu: RE: [Winpcap-users] Can winpcap capture that fast?

*** Before acting on this email you are advised to read the information at the end of this email. ***--------------------------------------------------------------------------In my experience of recording large volumes of network traffic it isessential to hand off the packets to a secondary buffer in RAM and haveanother thread consume the data and write it to disk.  I don't even haveany logging in my capture thread, as it is synchronous, and experiencehas shown me, that writing one line of text to a log file can stall athread for several seconds, depending on what the OS is doing. Our volume of data is typically < 8Mbytes/second however in~8500packets, so at the volumes you are examining you are going tostruggle, especially to get that volume of data through the various busbottle-necks and to disk.  We use dedicated RAID cards with 512MB or1024MB of cache. Hope that helpsIan -----Original Message-----From: winpcap-users-bounces at winpcap.org[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca VarenniSent: 29 April 2008 17:00To: winpcap-users at winpcap.orgSubject: Re: [Winpcap-users] Can winpcap capture that fast? You are probably losing packets because you are dumping to disk. Disksare **slow**, they cannot ususally keep up dumping 400k packets per second.I would try creating a simple application that simply counts the packetsand see if you keep losing packets. If you need to dump to disk, I suggest you looking at the slides of this presentation http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and%20Don'ts.zip In particular the slide titled "dumping to disk" gives some hints on it. Have a nice dayGV ----- Original Message ----- From: "Zafer SAVAS" <zsavas at aselsan.com.tr>To: <winpcap-users at winpcap.org>Sent: Tuesday, April 29, 2008 6:46 AMSubject: [Winpcap-users] Can winpcap capture that fast?  > Hello,> > I have a question about the recording capability of the Winpcaplibrary:> I want to monitor a gigabit ethernet link where a large amount of datais > flowing (430.000 MAC Layer packets/second).> When I observe my network connection status for incoming and outgoing > packets using the windows LAN connection on the system tray, I seethat > exactly 430.000 packets are received. However when I want to recordthem > using my c program, I can only record 20.000 of them.> > So, do you think I am doing something wrong or is this the maximumspeed > of the library?> > P.S : I am already using the dump file utility of the library for fast > recording.> > Best Regards> Zafer> > ######################################################################> Dikkat:> > Bu elektronik posta mesaji kisisel ve ozeldir. Eger size> gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.> Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,> guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki> gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi> gorusu olmak zorunda degildir.> > ######################################################################> Attention:> > This e-mail message is privileged and confidential. If you are> not the intended recipient please delete the message and notify> the sender. E-mails to and from the company are monitored for> operational reasons and in accordance with lawful business practices.> Any views or opinions presented are solely those of the author and> do not necessarily represent the views of the company.> > ######################################################################> > _______________________________________________> Winpcap-users mailing list> Winpcap-users at winpcap.org> https://www.winpcap.org/mailman/listinfo/winpcap-users  _______________________________________________Winpcap-users mailing listWinpcap-users at winpcap.orghttps://www.winpcap.org/mailman/listinfo/winpcap-users --------------------------------------------------------------------------Please visit us at IFSEC 2008Stand 17111, Hall 19NEC Birmingham 12 - 15th MayRegister now to attend at http://www.ifsec.co.uk/register    3-4 Broadfield Close, Sheffield S8 0XN, United KingdomTelephone +44 (0) 114 255 2509Facsimile +44 (0) 114 258 2050 Web Address http://www.synx.com/--------------------------------------------------------------------------This email is confidential and may also be legally privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, please destroy it immediately without reading the contents of the e-mail or opening attachments. Any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please notify the sender by e-mail, telephone or fax. Replies to this e-mail may be monitored by Synectic Systems Group Limitedfor operational or business reasons, within the scope of the law.Any opinions or information presented in this e-mail or any attachments that do not relate to the business of Synectic Systems Group Limited are solely those of the author and do not represent or are endorsed by Synectic Systems Group Limited. No contract may be construed by this e-mail or any attachments, unless specifically expressed therein.Security Warning: Internet communications are not guaranteed to be secure or virus-free. Except to the extent Synectic Systems Group Limited may not exclude its liability under law Synectic Systems Group Limited does not accept responsibility for any loss whatsoever arising from unauthorised access to, or interference with, any communications over the internet by any third party, or from the transmission of any viruses. Synectic Systems Group Limited, trading as Synectics Security Networks. Registered in England & Wales, No. 05815524 . Registered Office; 3-4 Broadfield Close, Sheffield S8 0XN . VAT No. GB 417 0698 46--------------------------------------------------------------------------  _______________________________________________Winpcap-users mailing listWinpcap-users at winpcap.orghttps://www.winpcap.org/mailman/listinfo/winpcap-users
----------------------------------------------------------------------------

    Dikkat:

    Bu elektronik posta mesaji kisisel ve ozeldir. Eger size gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz. Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte, guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi gorusu olmak zorunda degildir.


----------------------------------------------------------------------------

    Attention: 

    This e-mail message is privileged and confidential. If you are not the intended recipient please delete the message and notify the sender. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. Any views or opinions presented are solely those of the author and do not necessarily represent the views of the company.


----------------------------------------------------------------------------

     


----------------------------------------------------------------------------

    _______________________________________________
    Winpcap-users mailing list
    Winpcap-users at winpcap.org
    https://www.winpcap.org/mailman/listinfo/winpcap-users



------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080502/1a6a70fb/attachment-0001.htm

More information about the Winpcap-users mailing list