Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] which Operating System for Wireshark ? best performance

Date Prev · Date Next · Thread Prev · Thread Next
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Tue, 30 Jun 2009 20:28:59 +1000
On Tue, Jun 30, 2009 at 7:46 PM, Schimek,Hans<Hans.Schimek@xxxxxxxx> wrote:
> Hi !
>
>
>
> Right now I am running Windows 2000 Server on a quite powerful machine.
>
> Could you please tell me on which operating system wireshark is running best
> ?
>
> Does Linux improve the performance of the application ? or making it running
> more
>
> stable – on windows the app crashes quite often when analyzing bigger files.
>
> Machine has 16GB of RAM
>

I used to test these things a lot years ago.
This is in the context of a beefy machine dedicated to analysis of
large traces only. No other apps, etc. Just a box dedicated to
wiresharking of huge captures and nothing else. Focus made on
re-filtering traces.


>From memory I seem to recall that linux wireshark used to perform
often about twice as fast as w2k wireshark on the same hardware.
For large captures that would take up most of the available RAM.


A colleague of mine did do a separate analysis and plotting time to
re-filter 1,2,3,...100 milion packet captures under different systems
(Linux, W2k and osx) in order to decide which platform to use to
purchasing some hundred boxens for dedicated wireshark tracing.
While most systems performed equally on small captures, once the
captures grew, the filtering time grew linearly on each platform but
with a different constant. (osx used apple hw,   w2k and linux used
the same beefy pc hardware)
This was for us very surprising since we thought that wireshark
re-filtering would have been a pure cpu bound taks, but the different
constants for scaling suggested something completely differently.
We did not investigate much further of the root cause of this difference.

My personal theory is that with this large dataset this difference was
caused by differences in quality of the paging system and the cache
mgmt code.
OSX did in our tests scale slightly better than linux, both of which
left the third platform eating the dust (that platform had a really
nasty scaling constant compared to osx and linux).



If it is for a dedicated box, best you can do is to get a really beefy
machine with a lot of memory and then test 1,10,100 milion packet
captures and see how it performs under the available platforms.


ronnie s