 | 1 | initial version |
tshark calls dumpcap to capture packets.
Sending direct from dumpcap to tshark via a pipe avoids using the tmp file between them.
You might also add stdbuf before dumpcap and tshark to shave off a little more time.
$ dumpcap -i 1 -w - | tshark -t a -l -r - | ts '%Y%m%d-%H:%M:%.S'
~/wireshark/build_3.4.2/run$ tshark -t a -i 1 -l | ts '%Y%m%d-%H:%M:%.S' 20210209-11:44:36.584299 1 11:44:35.842189446 192.168.200.21 → 192.168.200.135 SSH 294 20210209-11:44:36.584487 2 11:44:35.842374637 192.168.200.21 → 192.168.200.135 SSH 262 20210209-11:44:36.584578 3 11:44:35.845603063 192.168.200.135 → 192.168.200.21 TCP 60 ~/wireshark/build_3.4.2/run$ dumpcap -i 1 -w - | tshark -t a -l -r - | ts '%Y%m%d-%H:%M:%.S' 20210209-11:45:58.647716 1 11:45:58.405589397 192.168.200.21 → 192.168.200.135 SSH 118 20210209-11:45:58.647941 2 11:45:58.410388536 192.168.200.135 → 192.168.200.21 TCP 60 20210209-11:45:58.648017 3 11:45:58.467481645 Dell_4a:4e:de → Vmware_fa:a3:37 ARP 60