I know it shouldn’t surprise me but to this day there are many people who believe they can capture 1 Gbps just because they have a 1 Gb Ethernet interface.
Here’s the scenario; An analyst was performing a download/upload baseline and wanted to capture the packets to document packet size, latency, loss, etc. I asked if their laptop can keep up with the download they were capturing and they said, ”of course, why wouldn’t it?”. I thought this is going to be fun.
I asked them to start Wireshark, set the capture filter for the server name, configure packet slicing (snaplen) at 128 Bytes and perform a download. I wanted a download as opposed to an upload since there is a greater load and more work required by a computer when it's receiving data and writing files to its local drive.
I asked them to stop the capture and wait about 30 seconds and then look at the Wireshark status bar and we saw the Dropped packet counter shoot up.
I explained that this is an important exercise to determine how well your laptop and Wireshark behaves under ‘load’ We then tried again using dumpcap, with the same and saw similar results.
After trying several tests using tshark, no capture filter, and no packet slicing with similar results, I explained that in this case, I would look to a capture appliance like a Profitap IOTA (https://www.profitap.com/iota-1g/), Optiview, or similar tools.
The other option is to test again with another computer, the same computer with a vanilla Microsoft configuration or use a bootup Linux ISO like Knoppix and retest.
Moral of the story; TEST, TEST, TEST, and oh yes, TEST!!!
Comments