I have never worked in an "enterprise" infrastructure group but have been responsible for small networks. WireShark (Ethereal back in the day) always worked for me in those situations. Where is the line drawn on when to crossover? Or is it?
Asked
Active
Viewed 3,458 times
3 Answers
15
In terms of analysis, there's nothing wrong with Wireshark. In fact, many enterprise products make use of Wireshark's code.
I think where things change are how captures are done in larger environments. Whereas in smaller shops, if you need to run packet captures, a laptop running Wireshark is fine. However, once you get to larger environments with higher data rates, commodity hardware often isn't up to the task of capturing at line rate. In these cases, it's often necessary to resort to vendors like Endace or Niksun in order to perform the captures; these vendors design custom hardware ASICs with very large buffers that are guaranteed not to drop traffic before it is successfully written to disk.
Even when using these appliances for recording, however, I find that when I export packet captures to my workstation for analysis, Wireshark is the tool that I turn to.
Murali Suriar
- 10,166
- 8
- 40
- 62
-
Ah, that makes sense. Wasn't thinking of the separation of capture and analysis. Thanks! – squillman Jun 01 '09 at 17:20
4
Such an interesting question... as we now even have the TuboCap adapter to put inline and capture using Wireshark (made by CACE Technologies). And with Pilot's graphical/reporting capabilities added to Wireshark - why would you fork out the big bucks for a commercial analyzer.
IMHO, it is rare (and perhaps faulty procedure) to throw an analyzer into the middle of an infrastructure to capture boatloads of traffic anyway. If a user is complaining - capture the traffic as close to that user as possible. If that system is flooding the net and Wireshark can't keep up - you can (a) typically tell what the flood is caused by just by examining a short trace of the traffic - think Macof, or (b) run tshark at command-line and save to file sets - then examine them in Wireshark.
Laura Chappell Founder of Wireshark University (and ex-user of Sniffer, OmniPeek, Fluke and former LANalyzer product manager way back when) Founder of Chappell University
2
personally I have never run into a case where a commercial product was needed for this. I work for a software vendor and we refer our customers to WireShark several times a day to troubleshoot.
dp.
- 49
- 3
-
2Suppose you have to capture full packets' contents without any loss at very high speed like 10Gbps (for data corruption analysis, for example), dedicated capturing devices come in. That requires a lot of computational power, large amount of memory, high-speed bus, and disk speed, etc. Running Wireshark on general use computer wouldn't be able to do the job. – tomoe Jun 02 '09 at 13:32