Wireshark · Ethereal-dev: Re: [Ethereal-dev] Performance. Ethereal is slow when using large captures.

Ethereal-dev: Re: [Ethereal-dev] Performance. Ethereal is slow when using large captures.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Kevin <kem2@xxxxxxx>

Date: Fri, 14 Nov 2003 17:06:17 -0500

Not a programmer, but would be happy to help in anyway.

As to testing the speed, I would suggest that you specify the gprof,ps and any other values you wish to capture.


Kevin

On Thursday, November 13, 2003, at 09:54 PM, Ronnie Sahlberg wrote:

Ethereal is very slow when working with very large captures containing
hundred of thousands of packets.
Every operation we do that makes ethereal rescan teh capture file taksa
long time.
I would like to start looking at methods to make ethereal faster,especially
for large captures trading a larger memory footprint
for faster refiltering speeds but would like to know if there areothers
interested in helping.
(you dont have to be a programmer, someone that knows how to rungprof and
read the data would be very very helpful as well)


If there is interest maybe we should try to ask Gerald to set up an
additional mailinglist as well : ethereal-speed@xxxxxxxxxxxx butthat is a
question for later
depending on whether there is interest.


If there is interest in this, I propose we take 0.9.16 as baseline, and
measure the execution speed and memory footprint for ethereal
for this version to start with.
A good example capture might be setting snaplen to 100 anddownloadingethereal from the website over and over until the capture file has100.000
packets (10MB).
Create three color filters : "ip" "tcp" and "frame.pkt_len>80"(random
filter strings from the top of my head)
Open the UPD and the TCP conversation list.
Load the capture into ethereal.
then measure the time it takes to refilter the capture as fast aspossible
10 times using the display filter "tcp.port==80"
After the 10th refilter of the trace, measure the memory footprint of
ethereal using ps.

Repeat this using a gzipped copy of the capture file.
This could be the baseline.
(the time to perform the test should be a couple of minutes at leastso that
we can see any differences in test implementations easier)
After this it would be good if someone did this test and collectedgprof
data to see where most of the cpu is spent.
I guess but am not sure it is in the actual dissection of the packet.
It would be great to have this verified.
Everything below this line assumes the theory that the dissection ofpackets
are taking up a significant part of the time to refilter a packet.
Hypothesis: a lot of time is spent redissecting the packets over andover
everytime we refilter the trace.
Possible Solution: reduce the number of times we redissect the packets.
(We would need a preference option called "Faster refiltering at theexpense
of memory footprint". Memory is cheap but CPU power is finite)

currently:
Everytime we rescan a capture file we loop over every single packetand:
dissect the packet completely and build an edt tree (in file.c)
prune the edt tree to only contain those fields that are part of anyof thefilters we use (display filter, color filter, the filter used by tapsetc)
evaluate each filter one at a time using the now pruned edt tree.
discard the edt tree and go to the next packet.

possible optimization:
When we dissect the packet the first time, keep the full edt treearound
and never prune it.
The loop would then be:
Loop over all the packets:
For this packet, find the unpruned edt tree (dont dissect thepacket at
all)
   apply all filters one at a time on the unpruned edt tree.
This would at the expense of keeping the potentially very memoryconsuming
edt tree around eliminate the need to redissect the packet.
The memory required by the edt tree could probably be optimized overtime.The risk is, how will the time it takes to evaluate a filter beaffected bythe tree not being pruned? What is the execution time compared tonumberof fields held in the edt tree ? Ordo(n) or Ordo(n^2) ? Maybe wewould
have to do major brainsurgery there as well?
Maybe it turns out to be unfeasible?   Who knows until we have tried.
Still, SOME things we do would require a redissect of the packetanyway such
as when clicking on the packet in the packet list but that is not
performance critical.
Can anyone see any obvious flaws in the reasoning above which wouldmake it
unfeasible or the approach irrelevant?
Would anyone that knows gprof be interesting is doing the measurementson
the "baseline" as suggested? and keep testing the same sample file
for all further performacne tests we do so we know if we are going inthe
right direction or not?


_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

References:
- [Ethereal-dev] Performance. Ethereal is slow when using large captures.
  - From: Ronnie Sahlberg

Prev by Date: Re: [Ethereal-dev] Performance. Ethereal is slow when using large captures.
Next by Date: [Ethereal-dev] Patch for Protocols and Preferences hotkeys
Previous by thread: Re: [Ethereal-dev] Performance. Ethereal is slow when using largecaptures.
Next by thread: [Ethereal-dev] rtpdump & CN packets
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$