wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] slow when loading big pcaps

Re: [Wireshark-dev] slow when loading big pcaps

From: Anders Broman <a.broman_at_nospam>
Date: Mon Oct 25 2010 - 19:43:05 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

cco skrev 2010-10-25 21:25:
> On Wed, Oct 20, 2010 at 04:07:22AM -0700, Guy Harris wrote:
>> On Oct 20, 2010, at 3:42 AM, cco wrote:
>>
>>> why is wireshark so slow when loading up>500 MB pcaps?
>> Are you saying that the time taken to read a file, as a function of the size of the file, is discontinuous, with a jump at about 500 MB?
> cristian: hi! I have not tested with continous values of file sizes (I
> hope this is not becoming too mathematical...)
>
> what I wanted to say was that large files take far too long to get
> loaded by wireshark. (2gb file takes 45 minutes...)
>
> and even when it gets loaded it will take even longer (for
> example) to trace the sip voip calls.
>
In case of SIP there is a hash table built to track request response in
1.4 the hash length is increased improving the
speed some what. In general some data is "saved" when reading a file to
track state of protocols, the bigger
the file the more data is saved. If that data is used to look up things
there may be an increased "cost" for doing the lookup. But it all
depends on the protocols that are in the trace and your preference
settings.

Large trace files are difficult to handle...
>> If so, it might be that the memory used by Wireshark for the file (per-packet data structures, reassembled packets, text for columns that aren't generated on the fly, etc.) becomes large enough that your machine starts paging.
>>
>>> is there any configuration trick to speed this up?
>> If you're paging:
>>
>> Make sure you're running Wireshark 1.4.0 or later - *no* columns can have their text generated on the fly in earlier releases, but some can in 1.4.0.
> cristian: do you mean the gui is that so slow?
>
>> Turning off packet reassembly for various protocols *might* help as well.
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list<wireshark-dev@wireshark.org>
>> Archives: http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list<wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
>

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe