On Mon, Oct 29, 2001 at 08:52:49AM +0200, Tinga Shilo wrote:
> A person working with me claims that in high volume traffic
> both ethereal and tethereal seemed to lose packets, while tcpdump
> didn't.
> My response to this was, that while with ethereal, as a GUI application,
> this might make sense,
> tethereal practically uses the same libpcap as tcpdump (maybe more ?),
> and should not differ from tcpdump.
Tethereal uses the libpcap with which it's linked, as does tcpdump.
They may or may not be linked with the same libpcap.
However, that's *NOT* the only difference.
If you're running tcpdump and Tethereal with the "-w" flag, then tcpdump
doesn't print out anything while it's capturing, so you have no idea how
many packets it's captured. (The current CVS version of tcpdump
supports ^T on BSD systems - it catches SIGINFO and prints the summary
information of packets captured - but that's it.) Tethereal, however,
prints out a snoop-like continual count of how many packets it's
captured. This might slow it down somewhat.
If you're running tcpdump and Tethereal without the "-w" flag, then they
both dissect the packets and print information about them as they
arrive; however, Tethereal's summary dissection might do more work than
tcpdump's dissection, so it might not be able to handle as many packets
per unit time.
Did he see that performance difference when saving raw packets to a file,
with the "-w" flag, or did he see it when seeing printed dissections of
packets, without the "-w" flag?
