Wireshark dumpcap on Windows with Threads (by Paul Offord)
The SREs at Advance7 are exploring the factors that limit the maximum rate of capture we can reach with tools like dumpcap and tcpdump. The first step in this type of study is to get a good understanding of how the tool works.
In this video, we explore the operation of dumpcap when using the -t (threads) option. We follow the packets from the NIC to the disk and discover the various mechanisms used.
In the video, I explain the interaction between NDIS and npcap.sys (and tcpip.sys). I've simplified this a little. NDIS actually weaves around these other drivers, but the operation and data flow is pretty much as I show.
Author: Paul is CEO of the Site Reliability Engineering company, Advance7. Through services, technology and consultancy, Advance7 helps banks, financial services companies and insurance companies adopt SRE practices within a traditional enterprise services environment.