This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Are tshark statistics slow?

0

Previous post

I use one tshark instance to sniff for 30 sec a network interface before a web server:

tshark -a duration:30 -f "(tcp dst port 8080) && (tcp[13]=0x02 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)" -w sniff.pcap

to capture packets with TCP.SYN and/or HTTP.GET requests.

Following that, I call tshark to gather statistics from the capture file:

tshark -r sniff.pcap -qz "io,stat,0,COUNT(tcp.flags)tcp.flags==0x02" -z "io,stat,0,COUNT(http.request.method)http.request.method=="GET""

Both these calls are made from a Java program using Runtime.exec() method in different threads.
The concept is that capturing happens for 30 sec, then the next 30-sec-capturing starts, while in another thread statistics are gathered from the first capture.
The problem is that the statistics call almost never runs to completion in the 30 sec window until its next call (sometimes takes minutes).

Is this delay something expected? Is there a way to speed the statistics up?

asked 26 Jan '12, 14:53

adonies's gravatar image

adonies
12225
accept rate: 0%

edited 27 Jan '12, 13:40

The first thing I'd do is run the tshark "gather statistics" command manually on one of the capture files to see how long it takes.

I'd then try manually running the tshark capture and the analysis simultaneously (two sub-processes ?) and see how that works.

This will give some info to verify that there's an issue with tshark being slow as opposed to some other problem (like some problem using threads or something).

(26 Jan '12, 20:47) Bill Meier ♦♦

I ran tshark stats manually (windows command prompt) on one of the capture files and it completed in ~ 5sec the first time and half that time each time afterwards.

I ran tshark capture and stats manually as separate concurrent processes (separate windows command prompts) and saw no significant effect on the stats gathering time, which was less than 5 sec each and every time.

(27 Jan '12, 13:44) adonies

So: it sounds like the issue is not with tshark but with the the way it's being invoked in Java (or something) ??

(28 Jan '12, 07:57) Bill Meier ♦♦