On a busy network, a network protocol analyzer can capture hundreds or thousands of packets every second. This can lead to information overload for both the analyzer program and for the human user.

For each packet that appears on the network, the analyzer program must at a minimum copy the contents into memory. Depending on the capture options chosen by the user, it may also need to write it into a file or display it in the GUI. It may perform various translation activities such as looking up port numbers in a hard-coded table of well-know port numbers or issuing network queries to translate IP addresses found in the trace into human-readable machine names. Ethereal will do some preliminary characterization of the packet's contents in order to update the packet totals on the capture summary screen.

With higher data rates, the analyzer may have a difficult time performing each of these tasks before the next packet arrives. If it is busy when the next packet arrives, it may not be able to copy it into memory and the packet would be "dropped." Dropped packets are not recorded in the trace even though they appeared on the network. These dropped packets can make analyzing the trace difficult.

Depending on the network data rate and the speed of the computer, it may be necessary to take steps to minimize dropped packets. One logical choice is to disable real-time display and translation. These activities can always be performed ...