Wireshark-dev: Re: [Wireshark-dev] AthTek NetWalk
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 21 Sep 2011 13:59:25 -0700
On Sep 21, 2011, at 9:04 AM, Chris Maynard wrote:

> "AthTek NetWalk is the ONLY network analysis tool to offer full integration with
> Wireshark, and it performs better than using Wireshark. It has better speed,

For a 776 megabyte trace file, on my 32-bit virtual machine running Windows XP:

	Wireshark - read it in about 2 minutes 45 seconds (all the way to displaying the packets);

	AthTek NetWalk - read it in about 7 minutes 42 seconds.

Perhaps they were comparing against a Wireshark that used the old packet list, or something such as that?

(Just for fun, I tried it with NetMon 3.4 - it took about 2 minutes 45 seconds to display the packets, *but* it wasn't finished reading the capture; I tried dragging the scrollbar to the last frame, and it started parsing a lot more frames.  It's still parsing....  My guess is it makes a quick first pass to find all the frames - the native format has a frame table so it can quickly do that - and then does "lazy dissection" of frames, not dissecting until necessary, e.g. if you scroll down.)

As for "full integration with Wireshark", they appear to use Wireshark's dissectors in the packet view - they have a collection of Wireshark DLLs in the "wireshark" subdirectory, along with a bunch of the DLLs we use, including some GPLed ones.  They also have "wireshark.exe", so they might have done the usual "arm's length" trick to avoid having to give their stuff away.