Wireshark-users: Re: [Wireshark-users] Ethereal vs wireshark
From: "Small, James" <JSmall@xxxxxxxxxxxx>
Date: Mon, 30 Jul 2007 20:20:14 -0400
Did you try dumpcap?  It's included with Wireshark (the latest version
of Ethereal) and typically is much better at capturing because it
doesn't do any processing - it just dumps everything to a file.  I've
used it in many situations where Wireshark/tshark would drop packets
(1Gbps+) because of processing overhead but dumpcap worked beautifully
with no drops.  Once you have the captured information, you can then use
Wireshark to slice/dice/display it.

Keep in mind though that if you use a PC there are many performance
limits imposed.  For example - a 1 Gbps NIC is pushing the limits of the
traditional PC architecture unless you're using hi-end PCI/PCI-X/PCIe
with a corresponding high performance card (like Intel's).  Don't forget
you need a well tuned driver and fast CPU/Memory.  There have also been
some interesting papers published on tuning drivers and capture methods
for high speed networks, check out:
http://www.winpcap.org/docs/

--Jim

________________________________________
Hello, sirs,

What kind of tools can capture ethernet packets (such as UDP) fast
enough on the Linux platform? Ethereal cannot fulfill my requirements. 
I'm using packETH 1.4 to send packets. 
I found that Ethereal cannot monitor all of the packets if I send 100000
(or more) packets (100 bytes per packet) consecutively with a delay
between packets of 8 us (= 0.008 ms = 0.000008 s), i.e. at least some
percent of the packets cannot be captured in Ethereal. 
96172/100000 = 96.172%, >3% lost 
957952/100000 = 95.7952%, >4% lost 
After look around in Google, I found the Wireshark is a kind of upgraded
version of ethereal, right? Is it possible to capture all packets as I
want? 
Please help me out, thanks in advance.

Winter Song.