Author Profile - Tony Fortunato is a Senior Network Specialist with experience in design, implementation, and troubleshooting of LAN/WAN/Wireless networks, desktops and servers since 1989. His background in financial networks includes design and implementation of trading floor networks. Tony has taught at local high schools, Colleges/Universities, Networld/Interop and many onsite private classroom settings to thousands of analysts. Tony is an authorized and certified Fluke Networks and Wireshark Instructor. His Pine Mountain Group CNA Level I and II certification demonstrates his vendor neutral approach to network design, support and implementations. Tony has architected, installed and supported various types of Residential Wireless High Speed as well as hundreds of WIFI hotspots. Tony uses a variety of technologies from Powerline, Wireless and wired technologies to find the most cost-efficient and reliable solution for his customers. Tony combines custom programs, open source and commercial software to ensure a simple support infrastructure.
A Real World Test of Wireshark 1.3.1!
A sample of What is to come in Q1, 2010 in Wireshark 1.4.x
When Tim O’Neill, OldCommGuy, from LoveMyTool.com told me that he had talked to Gerald Combs and that the next version of Wireshark ‘will feature a new packet list implementation that's faster, more responsive, and uses less memory’, I was skeptical. Lets face it, that’s a pretty standard claim we’ve all heard before. When Tim asked if I would be willing to compare the current version to the next version, I said ‘sure’.
I started by reading about GTKCList and GTKTreeView and quickly remembered why I don’t program for a living. I soon felt tired, confused and needed a plan of attack. I realized that protocol analysts like me, don’t care about the programming mumbo-jumbo, I want to see if it is really faster. Lastly I want to know if faster means seconds or milliseconds.
I downloaded wireshark-win32-1.3.1-SVN-30573.exe, the developers build with the new and faster capabilities, than I searched my lab for 2 computers with the same hardware specifications, so I can literally run them side by side for a real comparison.
I wanted to find a computer that has hardware specs in the middle of road. My reasoning was that any performance differences would be more obvious if my test PC wasn’t loaded with tons of RAM and a multiprocessor. I also know from experience that many network analysts typically get hand-me-down hardware, or have to piece troubleshooting tools together with whatever parts are laying around. Thus this is a “real world test”.
I came across 2 laptops with the following specifications;
- DELL Latitude C840
- Windows XP Professional Service Pack 3
- 1.80 gigahertz Intel Pentium 4 Processor
- 512 Megabytes Installed Memory
Then I went searching for various trace files in my library. I wanted several files with a variety of protocols, addresses, and file size. I know that all trace files are treated differently by protocol analyzers. Sometimes the number of packets or number of IP’s, or various protocols will impact analyzer performance. So I chose some of my larger and most varied files to test and see just how fast 1.3 is even as a development build and therefore not the final version.
Here’s what I came up with to use as my test capture files;
| Filename | Packets | MAC | IP | Filesize |
|---|---|---|---|---|
| Capture2.PCAP | 66,524 | 40 | 32 | 7.2 MB |
| Logon.cap | 31,233 | 4 | 11 | 10.27 MB |
| Ndis.cap | 61,878 | 4 | 5 | 23.855 MB |
| Capture 2.pcap | 66,524 | 40 | 32 | 7.383 MB |
| Bygone.pcap | 226,159 | 46 | 48 | 44.581 MB |
LOADING A FILE
The first test was to simply load a trace file and measure how long it took to load with my stopwatch. As a personal preference I made sure the laptop had no internet connectivity, to avoid any automated updates from affecting my results. Each trace file was loaded 3 times and I averaged the results.
| Wireshark 1.21 | Wireshark 1.31 | Tracefile |
|---|---|---|
| 15.28 sec | 4.35 sec | Capture2.pcap |
| 38.20 sec | 8.88 sec | Ndis.cap |
| 12.10 sec | 4.10 sec | Logon.cap |
| 74.34 sec | 16.25 sec | Bigone.pcap |
As you can clearly see from the above table, 1.31 outperformed 1.21 loading all the files.
Launching Wireshark
When it came to simply launching Wireshark, there was a noticeable difference as well. Wireshark version 1.21 Launch time was 19.52 and version 1.31 Launch Time was 11.87 sec.
| Wireshark 1.21 | Wireshark 1.31 | Tracefile |
|---|---|---|
| 19.52 sec | 11.87 sec | Bigone.pcap |
Statistics -> Endpoints
The next task I thought I would test is simply launching the Statistics->Endpoints report.
| Wireshark 1.21 | Wireshark 1.31 | Tracefile |
|---|---|---|
| 14.95 sec | 7.11 sec | Bigone.pcap |
The conclusion is pretty obvious – WOW!!!! I can’t wait to get the final release of 1.31 which is the test case for the future and I cannot wait to see what is coming in 1.4.x in 2010!.
Great Job - Gerald and the Wireshark Team!!
Continue reading other LoveMyTool posts by Tony Fortunato »
Recent Comments