First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there a way on macOS to tell Wireshark to use more CPU/memory

I'm working on a capture file of about 5.5G, or about 18 minutes of traffic on a local lan. I'm trying to analyze it on a 2019 iMac with a core i9 and 24GB of RAM with a 1TB SSD -- IOW, a machine with plenty of horsepower.

Yet Wireshark seems to be using only trivial amounts of CPU and memory, according to iStat Menus. Is there a way to tell Wireshark to "go to town" and take all it can get from a machine in hopes of speeding performance?

yobyot's avatar
1
yobyot
asked 2019-05-12 20:05:02 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Yet Wireshark seems to be using only trivial amounts of CPU and memory, according to iStat Menus.

If it's not currently dissecting packets, or running some statistical analysis from the menu, or filtering the packet, or doing some other form of work, it would be a major bug if it were using non-trivial amounts of CPU - it shouldn't burn up the CPU while it's waiting for you to tell it to do something.

Is it even showing trivial amounts of CPU while it's doing some work?

Guy Harris's avatar Guy Harris (2019-05-12 20:50:05 +0000) edit
more
  • delete

Ah! Good points. I wasn't specific enough. During live capture, adding a filter uses for example, can take 30 to 40 seconds (I was focusing on mDNS in this case). I was hoping that's the kind of operation that could "pin" the CPU. But it doesn't.

yobyot's avatar yobyot (2019-05-12 20:53:02 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I was hoping that's the kind of operation that could "pin" the CPU.

As a multiprocessor system, your iMac has 8 CPUs.

Packet dissection is a process that is hard to parallelize so that it can use more than one thread; the dissection of packet N is not necessarily independent of the dissection of packet M, for M < N.

It is not currently parallelized, so it only uses one CPU, and only one of your CPUs could be pinned by the process, so it may not get much above 12.5% of the system's total CPU power.

We've thought some about ways to try to parallelize it, e.g. assigning packets to CPUs based on transport-layer connections to reduce the chances that two packets being dissected in parallel will have dependencies that force dissection of the later packet to stall until dissection of the earlier packet completes, as well as adding dependency checking to stall in the case that there is a dependency between packets from different connections. Unfortunately, the process of identifying the connection to which a packet belongs is part of the dissection process, so this might involve handing packets from one thread to another.

As for memory, saving the full results of dissection if you have enough physical memory (and perhaps discarding it if the system is reporting memory pressure to the application; macOS has mechanisms to do that, other OSes might or might not) might speed up filtering, but so might reducing the amount of dissection done to evaluate a filter.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-05-12 21:13:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much for the detailed, informative answer.

This is one reason people love Wireshark: it comes with a knowledgeable, responsive community.

yobyot's avatar yobyot (2019-05-12 21:23:42 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer