Ask Your Question
0

Tshark slow output

asked 2023-02-26 09:02:11 +0000

Matan gravatar image

Hey there! I am trying to use tshark for printing UDP data and I noticed a delay of 0.6 seconds between the frame info time epoch and the actual writing to stdout. I am using UBUNTU 22.04 with 11th Gen Intel(R) Core(TM) i7-11700 @ 2.50GHz and 16GB RAM in performance mode, so it is quite strange. The command I am running is /usr/bin/tshark -l -n -x -i lo -f "udp port 7777".

Is there any way to make the output faster?

edit retag flag offensive close merge delete

Comments

Normally its the case that the buffer size is increased (-B|--buffer-size <capture buffer="" size="">) because packets are being dropped.
If the packet rate is low, perhaps decreasing the buffer will reduce the latency.

tcpdump has the --immediate-mode option but there is no such option for dumpcap (or tshark).

Chuckc gravatar imageChuckc ( 2023-02-26 18:28:53 +0000 )edit

Unfortunately, tcpdump doesn't have -T json

Matan gravatar imageMatan ( 2023-02-27 13:48:19 +0000 )edit

Did you try a smaller buffer with tshark?

Chuckc gravatar imageChuckc ( 2023-02-27 13:51:14 +0000 )edit

I tried, the minimum buffer configurable is 1MiB as long as I understand

Matan gravatar imageMatan ( 2023-02-27 13:56:59 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2023-03-08 20:01:47 +0000

Chuckc gravatar image

https://discord.com/channels/88921418...

Dumpcap only sends packet counts to its parent every 500 ms. Seems like that could be faster. For slow displays over VNC, or people who just like the delayed update, couldn't the update delay be a GUI setting? It also means that autostop / file switching granularity is limited to half a second too.

edit flag offensive delete link more
0

answered 2023-02-26 16:48:22 +0000

SYN-bit gravatar image

updated 2023-02-26 16:49:40 +0000

I tested on a linux VM in my lab with the command date +"%T.%6N" | nc -u 127.0.0.1 7777

It does not show such a high delta on my VM (Ubuntu 20.04 LTS):

sake@jump:~$ /usr/bin/tshark -c1 -ta -l -n -P -x -i lo -f "udp port 7777"; date +"%T.%6N"
Capturing on 'Loopback: lo'
    1 17:42:13.157521841    127.0.0.1 → 127.0.0.1    UDP 58 59670 → 7777 Len=16

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 2c e4 9c 40 00 40 11 58 22 7f 00 00 01 7f 00   .,..@[email protected]"......
0020  00 01 e9 16 1e 61 00 18 fe 2b 31 37 3a 34 32 3a   .....a...+17:42:
0030  31 33 2e 31 35 35 30 38 33 0a                     13.155083.

1 packet captured
17:42:13.219419
sake@jump:~$

The timestamps I see are:

17:42:13.155083 (0.000) Date generated it's output
17:42:13.157521 (0.002) Libpcap timestamped the packet
17:42:13.219419 (0.062) Tshark exited (so printing to STDOUT had definitely finished already)

What does your system show with the test above?

edit flag offensive delete link more

Comments

In that case my system show the output fast, so if you don't mind I would ask you for the whole case: When running with python3.11

import subprocess

import time

print(time.time())

p = subprocess.Popen(['ls', '-R', '/home'], stdout=subprocess.PIPE)

d = p.stdout.read(100000)

print(time.time()) `

it prints:

1677505233.4244854

1677505233.4286182

but when I run:

import subprocess

import time

p = subprocess.Popen(['/usr/bin/tshark', '-ta', '-x', '-q', '-f', 'udp port 7777', '-i', 'lo', '-T', 'json'], stdout=subprocess.PIPE)

d = p.stdout.read(100000)

print(time.time())

print(d)

and send packets with for ((i=0;i<10;i++)); do date +"%T.%6N" | nc -u 127.0.0.1 7777; done

the last epoch that is printed is 1677505307.545133347 but the time that is printed is 1677505308.2807975

Matan gravatar imageMatan ( 2023-02-27 13:43:56 +0000 )edit

When I use your python script, I too get around ~600ms difference. It boils down to:

  • The asynchronous reverse name lookups do take quite some time. On my VM, it saves 300ms to not do lookups, so that is about half the time.
  • When I execute the command in a bash shell instead of the python script (also with name resolving disabled), the delta is down to 100ms.

So that leaves ~200 ms which is added by the python processing.

So for the 600ms, they are not so much a tshark issue in my opinion. I personally have no experience in profiling and improving python script performance.

SYN-bit gravatar imageSYN-bit ( 2023-02-27 23:10:59 +0000 )edit

Thanks a lot for your help!

How do you disable the name lookups?

My initial feeling was that python is the problem too, but running tcpdump / ls / yes with different sizes stays fast (around 0.004 seconds), event if I measure the initial time before calling the Popen

Matan gravatar imageMatan ( 2023-02-28 05:22:32 +0000 )edit

Add -n to your tshark arguments for the disabling of name resolution.

SYN-bit gravatar imageSYN-bit ( 2023-02-28 16:52:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-02-26 09:02:11 +0000

Seen: 572 times

Last updated: Mar 08 '23