Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
buffer size, how do you increase it?
- Thread starter mbeaver
- Start date
- Thread starter
- #3
jamesgarlick
MIS
do you ppl have any idea how many frames that is in +- 40 meg buffer, about 150000 to 250000, you ppl wanna try and analyse anything bigger?, rather snap small files to HDD then use you ART and dash board to help you with the analysis.
blundergod
Technical User
Hey Jamesgarlick,
How would I snap small files and what is HDD? Sorry for the stupid questions.
Thanks
How would I snap small files and what is HDD? Sorry for the stupid questions.
Thanks
AlfSutherland
Technical User
Hi,
I think what James Garlic!!, was trying to say was: If your PC hasn't got a lot of RAM in it, take lots of small captures and instead of saving them into system memory, save them directly to file.
This can be easily done when you "define filter" - in the "buffer" tab, select "save to file" and the number of files you wish to take.
As LANGURU mentions, the capture file is directly proportional to the amount of physical RAM. As a "rule-of-thumb", a capture can be half the amount of physical RAM
Alf
I think what James Garlic!!, was trying to say was: If your PC hasn't got a lot of RAM in it, take lots of small captures and instead of saving them into system memory, save them directly to file.
This can be easily done when you "define filter" - in the "buffer" tab, select "save to file" and the number of files you wish to take.
As LANGURU mentions, the capture file is directly proportional to the amount of physical RAM. As a "rule-of-thumb", a capture can be half the amount of physical RAM
Alf
Depending on the type of problem you are trying to solve, Packet Slicing is another good method. Instead of capturing the entire packet, you can capture just the beginning of the frame.
A good example is an FTP transfer. First calculate the average frame size. Usually there are two data packets for every acknowledgement. So the average frame size is ((2*1518) + 64) / 3 or about 1033 bytes. Now let's say your capture buffer is 40mb. You could fit about 38,722 frames in the buffer before it wraps around. When analyzing an FTP, we don't really need to look at the data portion of the packet, instead we are interested in the delta times and TCP header information. Maybe some FTP command information.
So, if we slice the packet to 128 bytes we can now fit 312,500 frames in the same 40mb buffer! That's almost 10 times as much. You can set the packet slicing in the Buffer tab of the Define Capture Filter dialog box. NAI calls this "Packet Size". If you are just looking for IP addresses and TCP info, you can get by with 64 bytes of packet size.
mpennac
A good example is an FTP transfer. First calculate the average frame size. Usually there are two data packets for every acknowledgement. So the average frame size is ((2*1518) + 64) / 3 or about 1033 bytes. Now let's say your capture buffer is 40mb. You could fit about 38,722 frames in the buffer before it wraps around. When analyzing an FTP, we don't really need to look at the data portion of the packet, instead we are interested in the delta times and TCP header information. Maybe some FTP command information.
So, if we slice the packet to 128 bytes we can now fit 312,500 frames in the same 40mb buffer! That's almost 10 times as much. You can set the packet slicing in the Buffer tab of the Define Capture Filter dialog box. NAI calls this "Packet Size". If you are just looking for IP addresses and TCP info, you can get by with 64 bytes of packet size.
mpennac
- Status
Similar threads
- Locked
- Question
- Locked
- Question