Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Tshark command output doesn't keep up with packets

I'm currently trying to use Tshark to monitor packets from a TCP connection in real time. The Tshark command I have is working and is outputting packet information, but the issue is that it is hugely delayed.

Lets say I start tshark, then run iPerf. By the time iPerf has finished the 10 second transfer interval, tshark is still showing me packets of around only 3 seconds (relative time to start of stream). It will then over the next 10 seconds or so, finish printing all the packets. The same issue occurs if I pipe it into another program, making me believe the actual printing to screen is not causing the delay.

What could be causing this? Is Tshark writing to disk somewhere instead of directly dissecting the packets causing an IO delay?

The command I use is shown below: sudo tshark -P -i eno1 -B 5 -l -f 'tcp and port 5201' -T fields -E separator=, -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.window_size -e tcp.time_relative -e tcp.analysis.ack_rtt -e tcp.analysis.lost_segment -e tcp.analysis.duplicate_ack -e tcp.analysis.out_of_order -e tcp.analysis.retransmission -e tcp.analysis.fast_retransmission

Thanks