Wireshark-users: Re: [Wireshark-users] Wireshark & monitoring in the enterprise environment
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Martin Sustrik <sustrik@xxxxxxxxxx>
Date: Mon, 09 Feb 2009 11:57:06 +0100
Mario,

Thanks for comments, find my replies inlined.

mv652@xxxxxxxxxxxx wrote:
In my opinion, I think you've written a well documented introduction for anyone looking to monitor Financial Trading (or similar) Data. It gives a very nice and simple methodology to get a 'general feel' for the traffic passing over the network. One caveat I'd add with regards to monitoring Financial Trading activity (and I'm happy if anyone can explain any different), is that this is good for a general network data analysis. For high-frequency algo-type trading activity, wireshark seems to have found it's limitation (at least for the moment). The granularity of the wireshark I/O is at a minimum of 0.001sec (1 millisecond). In high-frequency trading we are now monitoring at the depths of microseconds (0.000001 sec) as opposed to milliseconds. There are two problems as a consequence: 1) The NIC used for 'monitoring' is unable to poll at these levels (CACE's TurboCap only provides 3-5 microsecond granularity, and this is a 'specialized' monitoring card)
Sure, latency monitoring using Wireshark wouldn't do, however, AFAIU, monitoring of the throughput - say with a window 1 sec long - may work, no?
As for the cards, I recall Endace claiming microsecond (or even lower) granularities. Does it mean that when using Wireshark for the analysis of the capured data, microseconds are simply stripped off?
2) Wireshark does provide microsecond timsetamps for the data, but the accuracy of the data is questionable, dependable on the hardware used and other processes occuring at the time on the monitoring system. Please don't get me wrong. I think wireshark is a fantastic network analysis tool and a lot of good work has been done by the authors and the community to make it the great piece of software it is today. Just to point out that I think you should indicate there is a limitation to the analysis of data that can be captured. I only say this purely due to the fact the document been written analysing Financial Trading traffic. 

Yup, understood.

Martin