THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark command output doesn't keep up with packets

  • retag add tags

I'm currently trying to use Tshark to monitor packets from a TCP connection in real time. The Tshark command I have is working and is outputting packet information, but the issue is that it is hugely delayed.

Lets say I start tshark, then run iPerf. By the time iPerf has finished the 10 second transfer interval, tshark is still showing me packets of around only 3 seconds (relative time to start of stream). It will then over the next 10 seconds or so, finish printing all the packets. The same issue occurs if I pipe it into another program, making me believe the actual printing to screen is not causing the delay.

What could be causing this? Is Tshark writing to disk somewhere instead of directly dissecting the packets causing an IO delay?

The command I use is shown below: sudo tshark -P -i eno1 -B 5 -l -f 'tcp and port 5201' -T fields -E separator=, -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.window_size -e tcp.time_relative -e tcp.analysis.ack_rtt -e tcp.analysis.lost_segment -e tcp.analysis.duplicate_ack -e tcp.analysis.out_of_order -e tcp.analysis.retransmission -e tcp.analysis.fast_retransmission

Thanks

tkzheng's avatar
1
tkzheng
asked 2019-07-09 19:26:33 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Do you have name resolution enabled in your Default profile? That might slow things down. You might want to add -n to your tshark command to make sure it does not do name resolution.

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-07-10 19:45:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Unfortunately that seems to have no effect on the issue.

tkzheng's avatar tkzheng (2019-07-15 17:53:19 +0000) edit
more
  • delete

Is Tshark writing to disk somewhere instead of directly dissecting the packets causing an IO delay?

Yes, tshark (as well as Wireshark) uses dumpcap to capture the packets. Dumpcap writes to a temporary file and tshark (and Wireshark) read from the temporary file. I usually keep 200 Mbit/s as a maximum of traffic that can be processed by just dumpcap alone without missing packets. So when using tshark with dissection, this value will probably be lower.

SYN-bit's avatar SYN-bit (2019-07-15 22:26:11 +0000) edit
more
  • delete

Is it possible to configure the location of this file so that I could use something like a RAMdisk for faster IO?

tkzheng's avatar tkzheng (2019-07-15 22:48:52 +0000) edit
more
  • delete

Yes, you can set the tmpdir that dumpcap/tshark uses:

sake@MacSake:~$ tshark -G folders | grep -i temp
Temp:                   /var/folders/j8/x8jn12nd2bqd0330ts6tcp7w0000gn/T/
sake@MacSake:~$ export TMPDIR='/tmp/'
sake@MacSake:~$ tshark -G folders | grep -i temp
Temp:                   /tmp/
sake@MacSake:~$
SYN-bit's avatar SYN-bit (2019-07-16 07:56:56 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer