I regularly open ~100 MB files to do troubleshooting. Can I expect a marked increase in performance by disabling the unused protocols?
Is there an easy way to disable everything but the most common protocol? Perhaps editing a config file.
Hi @Anders, did you mean speedup factors? You're right, I should've mentioned speedup highly depends on some factors:
The most noticeable effect I had when I was working with office uplink traces. These files were filled with a variety of different protocols from which I only worked with Ethernet -> IPv4 -> TCP chain with no Layers 5-7 needed. In this case I got 1.5 to 2.0 speedup factor, sometimes up to 2.5.
@felixbkk If you work with already filtered/prepared files containing let's say HTTP and disable protocols other than Ethernet -> IPv4 -> TCP -> HTTP chain probably you'll not get that much increase of load speed.
It can be done.
Go to Analyze -> Enabled protocols and un-check the ones you don't need.
Yes, it can increase file opening speed significantly.
You can make separate profile for this purpose because Enabled protocols setting is stored on per-profile basis.
Do you have any figures backing that up?
Thank you! With over 2400 protocols do you just disable all of them and then re-add the ones that you need?
I'll have to play around with finding the right balance.
So the major speedup is actually not dissecting protocols actually in the trace rather then overhead caused by not used dissectors.
Yes, exactly that. But it'd be interesting to test the latter case you talk about too. I'll take filtered large-size 1-TCP-stream trace and compare load speed with enabled/disabled protocols. Though I suspect there won't be much difference.
So in conclusion if you want to see everything that's in the file there isn't much gain in disabling protocol dissectors for protocols not present in the file?
Comments