Wireshark mailing list archives
Re: tshark overrun?
From: Guy Harris <guy () alum mit edu>
Date: Fri, 18 Nov 2011 09:41:16 -0800
On Nov 18, 2011, at 7:35 AM, Eric Ewanco wrote:
When I do "tshark -i eth5 udp -c 1000 -w /tmp/eth5.cap", it displays a count of packets as they come in until they reach the -c threshold. It never reaches this threshold when the problem manifests itself.
When you do "tcpdump -i eth5 -c 1000 -w /tmp/eth5.cap udp": 1) there's only one process - tshark does that by running dumpcap with a pipe sending "I've captured N more packets" up to tshark and 2) tcpdump isn't printing out packet count messages so it's not entirely surprising that tcpdump drops fewer packets. You might try just using dumpcap, or using tshark but suppressing the packet counts with "-q". (Or, to put it another way, the counting is the problem. Tcpdump counts packets, but it doesn't keep telling you about them.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark overrun? Eric Ewanco (Nov 16)
- Re: tshark overrun? Jaap Keuter (Nov 16)
- Re: tshark overrun? Eric Ewanco (Nov 17)
- Re: tshark overrun? Eric Ewanco (Nov 17)
- Re: tshark overrun? Guy Harris (Nov 17)
- Re: tshark overrun? Eric Ewanco (Nov 18)
- Re: tshark overrun? Guy Harris (Nov 18)
- Re: tshark overrun? Eric Ewanco (Nov 18)
- Re: tshark overrun? Jaap Keuter (Nov 16)