First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark throughput is less over PIPE

Hello experts,

On Windows 10 run over a good configuration system (Intel i7, 16 GB RAM), an application is receiving live traffic at 30Mbps which is then relayed/passed on to a 64-bit Wireshark process via a (unnamed) PIPE. Pipe is created by CreatePipe() Win API and tied to Wireshark stdin - a Windows recommended way. Wireshark CPU & RAM consumptions do not indicate overload.

It looks like Wireshark is not able to receive traffic at this rate. In fact, it is able to receive at ~2Mbps only. Some steps tried that have not yielded positive results:

  • Increase size of pipe from the default size to 512KB to 4MB to 40MB - throughput degraded once the pipe fills up in a few seconds
  • Tried to flush the pipe using FlushFileBuffers - throughput degraded (https://docs.microsoft.com/en-us/wind...)
  • Specified a buffer-size to Wireshark using option -B 100 - no improvement
  • Used hard disk type SSD instead of HDD - no improvement
  • When we ran a custom program on the other side of the pipe that consumes packets just like Wireshark would (with very less overhead of processing), we are able to pass on traffic at the expected 30 Mbps.

Questions:

Q.1. At what rate Wireshark can receive traffic over a PIPE from other apps?
Q.2. What (settings/parameters/environment) would slow Wireshark down when receiving traffic over PIPE?
Q.3. What configuration/environment/parameters changes of Wireshark or Windows OS can be made improve Wireshark throughput?
Q.4. How does the throughput of Wireshark on Windows receiving traffic over a pipe-to-stdin compare with Wireshark throughput when listening over a network interface?

Regards,
Amit

amit_wireshark's avatar
1
amit_wireshark
asked 2021-07-01 09:17:33 +0000, updated 2021-07-01 10:51:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Why do you need to have the stream analysed/displayed by wireshark in real time? Either have your capture program write a pcap(ng) file directly or use dumpcap to write to file(s) then analyse the resulting file(s) with wireshark or script tshark to extract the information you need.

Anders's avatar Anders (2021-07-01 12:31:19 +0000) edit
more
  • delete

Thanks for response.

Wireshark capture packets in real time on network interface as a standard functionality. We wanted to use the same real time capture standard functionality over pipe.

Are there any limitations because of which this cannot be achieved over pipe?

amit_wireshark's avatar amit_wireshark (2021-07-01 12:58:27 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Interesting...

So have you tested how fast Wireshark can capture when not using a pipe? I don't think anyone is going to know the answer to Q.1 or Q.4 - you'd have to try that yourself.

To my knowledge, not a lot of people capture via pipes. Keep in mind that when doing a live capture from a NIC dumpcap does the capture, writes it to a file, and then tells Wireshark/tshark "hey there are more packets in the file for you to read". That's why Anders suggested writing the packets to a file (like dumpcap).

Have you looked at using the ExtCap interface instead?

JeffMorriss's avatar
6.4k
JeffMorriss
answered 2021-07-01 13:33:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for response. We concluded the reading from PIPE by wireshark (over Windows) is much slower than other options. We stopped using PIPE.

amit_wireshark's avatar amit_wireshark (2021-07-14 12:51:30 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer