I have been doing a lot of work on this as I am capturing / processing data from around 4000 users on a gig link.

Ubuntu Linux (no gui)  has been more stable and slightly faster than xp sp3.  Also when is the last time you had to reboot your linux box ^_^.

Windows has a built in limit to how much memory a single process can use which I think is around the 2gb mark but don’t quote me.

Linux can also have something similar but it’s changeable.

Both windows/linux disk cache and sometimes does not free up the mem fast enough for a hungry Wireshark although Linux does it quicker and you can manually flush it if you want..

Never compared to win2k before.

What I suggest you do is separate the capture and display processes.   I don’t know what cpu you have but most modern ones have multiple cores and any particular tshark/Wireshark will only use one of them.

If you only want the headers use “–s x” where x is around 64 to save your memory.

For speed always use tshark to capture.  If you need on the fly make tshark move to a new capture file every x seconds.  You can then use tshark / and or Wireshark to display the capture file. 

If you use tshark to display the capture file using “-o column.format” rather than “-T fields  -e” seems to be much faster.

Hope that helps.

Chris

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Schimek,Hans
Sent: 30 June 2009 10:47
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] which Operating System for Wireshark ? bestperformance

Hi !

Right now I am running Windows 2000 Server on a quite powerful machine.

Could you please tell me on which operating system wireshark is running best ?

Does Linux improve the performance of the application ? or making it running more

stable – on windows the app crashes quite often when analyzing bigger files.

Machine has 16GB of RAM

Thx

Hans