Ask Your Question
0

Tshark command output doesn't keep up with packets

asked 2019-07-09 19:26:33 +0000

tkzheng gravatar image

I'm currently trying to use Tshark to monitor packets from a TCP connection in real time. The Tshark command I have is working and is outputting packet information, but the issue is that it is hugely delayed.

Lets say I start tshark, then run iPerf. By the time iPerf has finished the 10 second transfer interval, tshark is still showing me packets of around only 3 seconds (relative time to start of stream). It will then over the next 10 seconds or so, finish printing all the packets. The same issue occurs if I pipe it into another program, making me believe the actual printing to screen is not causing the delay.

What could be causing this? Is Tshark writing to disk somewhere instead of directly dissecting the packets causing an IO delay?

The command I use is shown below: sudo tshark -P -i eno1 -B 5 -l -f 'tcp and port 5201' -T fields -E separator=, -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.window_size -e tcp.time_relative -e tcp.analysis.ack_rtt -e tcp.analysis.lost_segment -e tcp.analysis.duplicate_ack -e tcp.analysis.out_of_order -e tcp.analysis.retransmission -e tcp.analysis.fast_retransmission

Thanks

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-10 19:45:39 +0000

SYN-bit gravatar image

Do you have name resolution enabled in your Default profile? That might slow things down. You might want to add -n to your tshark command to make sure it does not do name resolution.

edit flag offensive delete link more

Comments

Unfortunately that seems to have no effect on the issue.

tkzheng gravatar imagetkzheng ( 2019-07-15 17:53:19 +0000 )edit

Is Tshark writing to disk somewhere instead of directly dissecting the packets causing an IO delay?

Yes, tshark (as well as Wireshark) uses dumpcap to capture the packets. Dumpcap writes to a temporary file and tshark (and Wireshark) read from the temporary file. I usually keep 200 Mbit/s as a maximum of traffic that can be processed by just dumpcap alone without missing packets. So when using tshark with dissection, this value will probably be lower.

SYN-bit gravatar imageSYN-bit ( 2019-07-15 22:26:11 +0000 )edit

Is it possible to configure the location of this file so that I could use something like a RAMdisk for faster IO?

tkzheng gravatar imagetkzheng ( 2019-07-15 22:48:52 +0000 )edit

Yes, you can set the tmpdir that dumpcap/tshark uses:

sake@MacSake:~$ tshark -G folders | grep -i temp
Temp:                   /var/folders/j8/x8jn12nd2bqd0330ts6tcp7w0000gn/T/
sake@MacSake:~$ export TMPDIR='/tmp/'
sake@MacSake:~$ tshark -G folders | grep -i temp
Temp:                   /tmp/
sake@MacSake:~$
SYN-bit gravatar imageSYN-bit ( 2019-07-16 07:56:56 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-09 19:26:33 +0000

Seen: 684 times

Last updated: Jul 10 '19

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2