Re: tshark packets droppped

[Forthofer Russ <Russ.Forthofer () ssfhs org>]

Thank you for the excellent explanation! 

-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris
Sent: Thursday, January 07, 2010 2:12 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark packets droppped


On Jan 7, 2010, at 10:58 AM, Forthofer Russ wrote:

> Does this mean that dumpcap is more efficient than tshark?

Yes.  For one thing, the way tshark captures traffic is to run dumpcap (the same is true of Wireshark); unless tshark 
does *nothing* other than run dumpcap and wait for it to finish, it will impose *some* additional overhead.

If you run TShark with the "-w" option and without the "-S" option, all it does is get updates from dumpcap saying 
"I've captured N packets" and write an update to the "total packets captured" count to the standard output.  If you 
also run it with "-q", it won't even do that, but it still updates the count in memory; that's probably the most 
efficient way to run TShark, but, if that's all you're doing, you might as well just run dumpcap.

If you run TShark without the "-w" option, or with both "-w" and "-S", it will also *dissect* the packets as dumpcap 
writes them out; in that case, it will do a *lot* more work than dumpcap, in addition to the work dumpcap is doing.

In addition, when it's being run by TShark without "-w" or with "-S", or by Wireshark with "Update list of packets in 
real time", dumpcap will write out each burst of packets it sees to its output file as the burst arrives, so that a 
write to the file system happens for each burst; otherwise, it just lets the "C standard I/O library" routines' 
buffering write to the file system when the buffer fills up or when the capture is done, so that fewer writes are done 
(with more data per write).  That also adds overhead.

> I've never understood the difference between the two programs.  Does one have functions the other does not?

Yes.  TShark can dissect packets; dumpcap cannot (this is intentional - dumpcap might have to run with elevated 
privileges in order to capture traffic, and the intent is to minimize the amount of code that has to run with elevate 
privileges).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient 
to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure 
under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, 
you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the 
intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe