Re: Wireshark memory handling

[didier <dgautheron () magic fr>]

Hi,
Le vendredi 09 octobre 2009 à 09:15 +0200, Erlend Hamberg a écrit :
> On Friday 9. October 2009 03.47.16 didier wrote:

> > A modified Tshark should be able to upload a capture at around 30,000
> > packets/second.
>
> Very interesting. By "uploading", I presume you mean to the database?
Yes I do.
> > No idea what would be better for the interactive front-end: a modified
> > wireshark or a new application.
> > No idea if you have enough time to do it either.
>
> An important use case -- and the reason for wanting to be able to do one long 
> capture, instead of splitting up captures -- is to follow a TCP stream. Other 
> analysis functions of the Wireshark program are also desirable, so I think our 
> aim should be to use the Wireshark GUI.
IIRC a couple of years ago someone did use a database with ethereal,
their code is on sourceforge but they don't use wireshark anymore. I
don't remember the name but from memories they are Australian and it was
for forensic.
>

> Too slow, full stop? Our experience in using disk-cached data in interactive 
Yes full stop. If wireshark has to swap it's a big file and anyway it's
already too slow even if it everything is in memory, moreover with our
version wireshark going to the disk mean that it is four time slower. I
haven't found laptop with harddisks able to stream at 600MB/s :)

Didier


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe