Performance

Edit | View | Diffs | Info | Raw | Print

Recent Pages:

User

Login

Pages

FrontPage
RecentChanges
FindPage
HelpContents

Actions

Attach File
Check Spelling
Delete Cache
Like Pages
Local Site Map
Print View
Raw Text

Performance

Some tips to fine tune Ethereal's performance.

There two main topics, where Performance currently is an issue: large capture files and packet drops while capturing.

Working with large capture files

If you have a large capture file e.g. > 100MB, Ethereal will become slow while loading, filtering and alike actions.

There are some things you can do, but unfortunately this will remove some decoding comfort:

  • disable Coloring Rules: this will significantly increase performance. To disable these rules, use View->Colorize Packet List. You'll could also delete all coloring rules or rename the coloring rules file.

Disabling some preference settings may save you a lot of memory consumption. Be aware that these features are probably required to detect the packets properly that you want to capture. So maybe you miss packets that are missinterpreted.

You can check if that's the case, by loading a capture file, setting a display filter of the packet types in question and see if the number of displayed packets are the same with and without these settings. You may need to reload the file after changing the settings (and don't forget to press the "Save" button :-).

Some good preference setting candidates:

  • IP/Reassembled fragmented IP datagrams

  • TCP/Allow subdissectors to reassemble TCP streams

Display system overview

If the above hints didn't help, you may need to advance your machine. To do this, the following gives some insights which parts are worth looking at.

A simplified look at the display system:

harddisk -> packet dissection -> display filter / coloring rule -> display

  • harddisk - uncritical

  • packet dissection - fine tune the Preferences

  • display filter

  • coloring rule

  • display - uncritical

The things that may help: Add more physical RAM and use a faster CPU (multi core CPU's won't help a lot, the dissection is done in a single task)

Packet drops while capturing

After you've finished a capture, you've noticed packet drops, indicated by the statusbar counter.

What has happened? Not all packets coming in from the network could be saved into the capture file. As your machine was too slow to handle the incoming packet rate some packets had to be discarded.

General considerations:

  • stop other programs running on that machine, to remove system load

  • buy a bigger, faster machine ;-)

  • as both Ethereal and Tethereal are not optimized for speed on specific operating systems, use a "capture only" program to capture packets and use Ethereal/Tethereal later to do the analysis. Since upcoming version 0.10.15 you could use dumpcap for this (or e.g. TcpDump / WinDump)

Optimized Ethereal settings:

  • don't use Update list of packets in real time in the capture options dialog, to remove system load

  • Win32 only: increase the Buffer size in the capture options dialog (set it to a reasonable value e.g. 20MB, depending of your systems memory size)

  • don't use read filters by not using the -R command line option; this would need processing time and a lot of memory

  • don't use capture filters as they need processing time (but if you're not interested in all packets, a capture filter that selects only the packets in which you're interested could reduce overall processing time, as packets can be discarded by the capture filter before being written to a capture file - and, on systems with in-kernel capture filtering, they'd be discarded before they're even copied up to Ethereal from the kernel)

Capturing system overview

If the above hints didn't help, you may need to advance your machine. To do this, the following gives some insights which parts are worth looking at.

A simplified look at the capturing system:

network card -> libpcap(capture filter) -> capture tool -> harddisk

  • network card - some cards need a lot more CPU power than others

  • libpcap - an optional capture filter will need additional CPU power

  • capture tool - won't do much processing (get the packets from libpcap and write it to the harddisk)

  • harddisk - as fast as possible, a fast RAID might be preferrable

  • CPU - the task processed is a single task, a multi-core CPU won't help a lot

The amount of memory isn't really critical for capturing.

Of course, the system itself should be reasonable configured, e.g. a very fast CPU doesn't make real sense with only very limited RAM.