3

I want to use Winpcap to capture all network packets going through a Gigabit NIC of a server.

Assuming that I am able to utilize the network link up to 100%, the maximum network speed is 1000Mbps. If we exclude the TCP/IP headers, the maximum TCP data rate should be roughly 940Mbps.

Let's say I send a 1GB file through the NIC at 940Mbps using TCP destination port 6000. I use Winpcap to capture all network packets going through the NIC and then dump it to a pcap file. If I use Wireshark to analyze the pcap file and then check the sum of packet size for all network packets sent to TCP port 6000, am I able to get exactly 1GB from the pcap file?

Thanks.

userpal
  • 593
  • 3
  • 9
  • 17
  • 1
    Unfortunately, without specialized hardware, you're likely to capture around 96% of the packets at best. – David Schwartz Jun 30 '12 at 08:10
  • Lets say you can capture 100% of the packets, are you sure you drive is fast enough to accept data at that speed? – Zoredache Jun 30 '12 at 09:45
  • With a 1GB capture, he's going to want to capture to RAM and then write to disk when he's done. Otherwise, he'll need a might fast disk subsystem. – David Schwartz Jun 30 '12 at 09:58
  • @David Schwartz If I just want to calculate the total network traffic (how many bytes) sent to TCP port 6000 between time t1 and time t2, what kind of software should i use? I have checked netstat, but I think netstat Windows does not allow me to use filter on the ethernet statistics. – userpal Jun 30 '12 at 09:59
  • @PatrickL are you trying to solve some specific problem or is this just an exercise in curiosity? – Mxx Feb 10 '13 at 21:12

1 Answers1

1

Assuming that you are able to utilize the network link up to 100%, the maximum network speed is NOT 1Gbps. It's less due to inter frame gaps and checksums. This is even before you start taking into account packet headers (as you correctly mentioned in your original question).

Also as implied by a comment above, a typical machine will struggle to generate packets at wirespeed, let alone generate AND capture packets at the same time at wirespeed. The one method I use to generate packets at wirespeed (on a linux machine) is crafting 1500 bytes packets and using tcpreplay. Using this method, I can get very close to wirespeed, but this utilizes the CPU ~100%, unless you are on a very very fast machine.

Having said all that, there's nothing wrong with your plan to determine the amount of data sent to TCP port 6000 by capturing and viewing with wireshark. (Make sure you ONLY capture TCP port 6000, rather than all packets on the interface.) You just need to ensure that the CPU is not loaded 100% such that the packet capture isn't able to process all packets. But then, this is true regardless of which method you use.

wookie919
  • 279
  • 3
  • 12