Ask Your Question
0

Stop buffer while capturing packets

asked 2021-02-09 15:16:39 +0000

shivam gravatar image

updated 2021-02-09 15:35:28 +0000

cmaynard gravatar image

Hi,

I am trying to run a command and store output, but the packets captured and buffer time gets difference of 500 ms to 1 sec. I want to narrow it down to 50 ms.

Here is the command: sudo tshark -i eno1 -l -x -T ek "udp port 37008" | stdbuf -o0 grep timestamp |stdbuf -o0 jq -r -c '"{\"data\": \"\(.layers.frame_raw)\", \"ipSrc\": \"\(.layers.ip.ip_ip_src)\", \"timestamp\":\"\(.layers.frame.frame_frame_time)} "' | stdbuf -o0 ts '%Y%m%d-%H:%M:%.S'

output:

20210208-11:39:11.821374 {"data": "d0946648264170b3d5f2b1420800450000cd154a40004011a023c0a80193c0a801cfe700909000b95917001480ad4eb0d3a226cabde3e1d1df9c8a798788441e9285f170000000fd7d0fa1007fff80805a0f00020214c1c0ffe9bfe50fe1fffc0ffe4bfd42fd9fffc0ffcd3fe08fb5fffc10014bfddefb5fffc1001bbffdaf7ffffc1001ac0058f7dfffc1001c3ffc4fa1fffc0ffe2bff1cfd7fffc0ffc43fe92ff9fffc100143ff2cfedfffc1000ebff3cfe5fffc0ffebbff26fb5fffc100393fe72f93fffc10066bff7904dfffc100554003d07dfffcfffec800", "ipSrc": "192.168.1.147", "timestamp":"Feb  8, 2021 11:39:11.173803555 EST}
20210208-11:39:11.821696 {"data": "d0946648264170b3d5f2b1420800450000cd155140004011a01cc0a80193c0a801cfe700909000b9badd001480ad4ef0d3a226cad6e3e1d1df9c8a798788441a1883f070000000fd7d0fa1007fff80805a0f00020214c1c0ffe9bfe50fe1fffc0ffe4bfd42fd9fffc0ffcd3fe08fb5fffc10014bfddefb5fffc1001bbffdaf7ffffc1001ac0058f7dfffc1001c3ffc4fa1fffc0ffe2bff1cfd7fffc0ffc43fe92ff9fffc100143ff2cfedfffc1000ebff3cfe5fffc0ffebbff26fb5fffc100393fe72f93fffc10066bff7904dfffc100554003d07dfffcfffec800", "ipSrc": "192.168.1.147", "timestamp":"Feb  8, 2021 11:39:11.272990338 EST}
20210208-11:39:11.822250 {"data": "d0946648264170b3d5f2b1420800450000cd155240004011a01bc0a80193c0a801cfe700909000b9985d001480ad4f30d3a226caf023e1d1df9c8a798788441a1883f970000000fd7d0fa1007fff80805a0f00020214c1c0ffe9bfe50fe1fffc0ffe4bfd42fd9fffc0ffcd3fe08fb5fffc10014bfddefb5fffc1001bbffdaf7ffffc1001ac0058f7dfffc1001c3ffc4fa1fffc0ffe2bff1cfd7fffc0ffc43fe92ff9fffc100143ff2cfedfffc1000ebff3cfe5fffc0ffebbff26fb5fffc100393fe72f93fffc10066bff7904dfffc100554003d07dfffcfffec800", "ipSrc": "192.168.1.147", "timestamp":"Feb  8, 2021 11:39:11.373111721 EST}
edit retag flag offensive close merge delete

Comments

Thanks but issue is there:

[email protected]:/home/kyra# sudo dumpcap -i 1 | tshark -i eno1 -B 10240 -n -p -x -T ek "udp port 37008" | stdbuf -o0 grep timestamp |stdbuf -o0 jq -r -c '"{\"data\": \"(.layers.frame_raw)\", \"ipSrc\": \"(.layers.ip.ip_ip_src)\", \"timestamp\":\"(.layers.frame.frame_frame_time)} "' | stdbuf -o0 ts '%Y%m%d-%H:%M:%.S' Running as user "root" and group "root". This could be dangerous. Capturing on 'eno1' File: /tmp/wireshark_eno1_20210209140021_QDX19l.pcapng Capturing on 'eno1' Packets: 39 20210209-14:00:22.966939 {"data": "d0946648264170b3d5f2b142080045000092b67740004011ff30c0a80193c0a801cfe7009090007ed1ea001f736010dfd40000000000a5d07400000708f8746b87229e6e7fffe41ba84000a8015201808f8746b87229e6e70009c7229bb071f0e95f00a0a71c8a7f42c7c3a81a027d8c7229fdab1f0e5bd0c7229be631f0e61e800004042d0e44d3cf0e2d997220ad97469c7b32a08997a65c7d32e442850a10", "ipSrc": "192.168.1.147", "timestamp":"Feb 9, 2021 14:00:22.260596803 EST} 20210209-14:00:22.967233 {"data": "d0946648264170b3d5f2b1420800450000cdb67a40004011fef2c0a80193c0a801cfe700909000b9eac1001480ad5ce9741d0015ade3e1d1ae1c8a79b9885014140fd270000000fd7d0fa1007fff80805a0f00020214c1c100053feb8fddfffc0ff9b3ff9afd3fffc10000c0003037fffc0fff53ffe102ffffc0ffec3ff00ff1fffc0fffabffff013fffc0ff91c0043003fffc0ffe940074fb7fffc1003ac010efe5fffc0fff63ffdcfc3fffc10016bfebcf9dfffc0ff853ffeeff5fffc0ffa33ff64ff7fffc0ffff40062fd3fffc100393ffc300dfffcfffec800", "ipSrc": "192.168.1.147", "timestamp":"Feb 9, 2021 14:00:22.300247199 EST}

shivam gravatar imageshivam ( 2021-02-09 19:04:08 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-02-09 17:53:12 +0000

Chuckc gravatar image

tshark calls dumpcap to capture packets.
Sending direct from dumpcap to tshark via a pipe avoids using the tmp file between them.
You might also add stdbuf before dumpcap and tshark to shave off a little more time.

$ dumpcap -i 1 -w - | tshark -t a -l -r - | ts '%Y%m%d-%H:%M:%.S'
~/wireshark/build_3.4.2/run$ tshark -t a -i 1 -l | ts '%Y%m%d-%H:%M:%.S'
20210209-11:44:36.584299     1 11:44:35.842189446 192.168.200.21 → 192.168.200.135 SSH 294 
20210209-11:44:36.584487     2 11:44:35.842374637 192.168.200.21 → 192.168.200.135 SSH 262 
20210209-11:44:36.584578     3 11:44:35.845603063 192.168.200.135 → 192.168.200.21 TCP 60 

~/wireshark/build_3.4.2/run$ dumpcap -i 1 -w - | tshark -t a -l -r - | ts '%Y%m%d-%H:%M:%.S'
20210209-11:45:58.647716     1 11:45:58.405589397 192.168.200.21 → 192.168.200.135 SSH 118 
20210209-11:45:58.647941     2 11:45:58.410388536 192.168.200.135 → 192.168.200.21 TCP 60 
20210209-11:45:58.648017     3 11:45:58.467481645 Dell_4a:4e:de → Vmware_fa:a3:37 ARP 60 
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-02-09 15:16:39 +0000

Seen: 49 times

Last updated: Feb 09