Wireshark and mirrored ports bringing in 10k+ packets a second

Question

I've got wireshark setup on a monitoring machine to monitor our offices internet traffic (approx 40 machines). However, whenever I start wireshark within about 30-40 seconds it has crashed - I think due to the large volume of packets being received around 10,000+ per second. Is there anyway to solve this? I have attempted to use the filter option near the top of the screen, but I still have to enable to monitoring and by that time too much data is being passed for the computer to cope... I think!

Answer 1

If you're really trying to trace the office's entire internet connection, you're going to need hardware and software that is correctly-sized. Do you really want wireshark running all the time? Do you need a full packet-inspection at all times? Hint - you probably don't.

Might you be better served by something like WebSense or SurfControl (to see what HTTP(S) sites users are hitting), or Netflow (to identify protocols and top talkers), or both?

Without knowing what your complete goal is, how much traffic is going over your internet pipe, and the performance of your monitoring machine, we can't tell you how to fix your problem. But I'm guessing that you're trying to solve it the wrong way. Wireshark is best used for very specific problem troubleshooting, not as a packet tap to run all the time, for the problems most often faced by an office your size.

Answer 2

Don't use display filters, but use capture filters instead. This way, wireshark can forget about all the packets you're not interested in.

See http://ask.wireshark.org/questions/12452/where-are-the-capture-filter-options-in-wireshark-180 for hints how to find the capture filter options.