ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Which hardware

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sat, 09 Feb 2008 02:27:03 +0100
ronnie sahlberg schrieb:

Personal first hand experience.

SCNR to ask your motivations ;-)

I have tested this myself on several PCs and compared.  The same host,
the same capture file, the same preferences using the same SVN version
of wireshark
it ran 2+ times faster when booting into linux than w2k and w2k3.
Bear in mind,  the tests were all for semi large capture files in the
range 10-200MByte  and testing how long it takes to load a trace, how
long it takes to filter a trace, how long it takes to bring up the tcp
sequence number graph.
I think it was something like 5-6 different single and multi cpu systems.
(multiprocessing is a bit pointless with wireshark)
Well, while *capturing*, the capture and display tasks could run on two different CPU's - however, I've never checked if they really do ;-) 
The purpose was to find which hw+sw config would perform the fastest a
large group of users that would spend significant amount of time
looking at and filtering and analyzing 100MB - 1GByte large capture
files. I dont care what systems the end users would end up using,
they just wanted to know :
"which hw+sw combination should we use to make analyzing/filtering of
large captures as fast as possible".
Right! And I don't have any problems with your recommendation as you have tested it :-) 
That is probably an effect of linux having wastly better memory
management than windows.

Oh, come on! Please don't spread FUD just as Microsoft does!!!
Simply stating that Wireshark is 2+ times faster on Linux than on Windows, so this is probably caused by worse memory management on Windows is just FUD. Keep in mind that the libraries used to run Wireshark/tshark all have their origins in the "Unix world", so they're probably optimized here and ported more or less well to the Windows platform. For example, GTK+ is running "almost natively" on X (basically it was build as a replacement for motif) and was much later ported to Windows. Therefore it's just very likely that GTK+ is running faster on Linux than on Windows.
Following the same argumentation, using a fast commercial analyzer (highly optimized for) Windows compared to Wireshark would clearly state the superior Windows platform ... 

Regards, ULFL
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube