Wireshark · Ethereal-users: RE: [Ethereal-users] Truly infinite capture

Ethereal-users: RE: [Ethereal-users] Truly infinite capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Fulvio Risso" <risso@xxxxxxxxx>

Date: Wed, 13 Dec 2000 09:05:21 +0100

> -----Original Message-----
> From: McNutt, Justin M. [mailto:McNuttJ@xxxxxxxxxxxx]
> Sent: Thursday, December 07, 2000 16:40
> To: 'Fulvio Risso'; Visser, Martin (SNO)
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: RE: [Ethereal-users] Truly infinite capture
>
>
> > However I'm not confident that its performances are adequate.
> > What ntop does (as far as I know) is:
> > - capture a packet
> > - transfer it at user level (that means overhead)
> > - calculate statistics
> > - discard the packet
> >
> > What the WinPcap library intends to do is:
> > - *see* a packet
> > - calculate statistics
> > that means incredibly lower overhead.
> >
> > The problem is that:
> > - WinPcap is available for Win32 only
> > - WinPcap does not provide advanced monitor features (these
> > are still under
> > development), so it cannot be deployed "as is" to make you own ntop.
>
> How does libpcap 0.5 fit into this?

libpcap should be the library Ntop uses to capture and filter packets.
WinPcap is the better porting of libpcap on Win32; it has all the original
system calls plus some more.


> > In other way, ntop is just another packet capture tool. The difference
> > between Ethereal and ntop is just that Ethereal shows packets
> > while ntop
> > shows statistics. However the internals, i.e. the overhead to
> > perform that
> > job, are absolutely the same.
> > Therefore, I guess, your P-III - 1GHz could not be able to
> > grab all traffic.
>
> <shrug>  Even if it's missing packets, it ought to miss them at random,
> right?  Therefore at least the percentages for relative amount of protocol
> usage would be correct.  The raw bandwidth numbers I can get from the
> routers themselves via SNMP.
>
> As long as it doesn't *crash* it'll probably work... once the packet
> dissectors are fixed.

I guess so.
The relative percentage should be correct; however you suold not be able to
determine the link load.
I mean, you should be able to know that IPX traffix = 30% IP, but you should
to be able to know that IP traffic = 80% of the link bandwidth.


> > Please correct me if I'm wrong.
>
> <grin>  Don't know yet.  I've built the box, but haven't put it
> in play yet.
> I'll let you know (should I post to the list?).

Probably not.

Cheers,

	fulvio

References:
- RE: [Ethereal-users] Truly infinite capture
  - From: McNutt, Justin M.

Prev by Date: RE: [Ethereal-users] Truly infinite capture
Next by Date: Re: [ethereal-users] UDP/ICMP Checksums
Previous by thread: RE: [Ethereal-users] Truly infinite capture
Next by thread: RE: [Ethereal-users] Truly infinite capture
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$