Wireshark-dev: Re: [Wireshark-dev] Delays in real-time packet capture

From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Mon, 04 Dec 2006 00:58:06 -0500

Hello Pierre,

>>> Pierre JUHEN <pierre.juhen@xxxxxxxxxx> 11/30/06 6:33 AM >>>
>Maybe the problems lies here (capture_opts.c) :
[snip]
> At least for me, it fixed the problem described in bugs 1181 et
1220.
> 
> I created bug #1220 because, sorry, the keywords I used wehre not the
right ones.
> 
> I attached a patch to bug #1220, but nobody seems to have taken care
of.
> 
> Hope it will close the issue for you also !

The patch for bug #1220 ("Wireshark is unduly buffered when reading
from a 
pipe") does not directly fix bug #1181 ("Delays in real-time packet
capture") 
when dumpcap itself is capturing from the NIC interface (which is what
happens 
when one initiates a capture from within Wireshark (e.g. "wireshark -i
eth0 -k -l -S")).  

Interestingly the patch for bug #1220 does affect dumpcap when dumpcap
is used in a pipeline (e.g. "tshark -i eth0 -w - |  wireshark -i - -k
-l -S"). 
In bug #1220 you appear to be using tshark as the 1st process in a
pipeline 
as a workaround for the buffering problem inherent in running dumpcap
on 
linux (bug #1181).  

While your proposed fix for bug #1220 doesn't directly resolve bug
#1181 
it can help suppress bug #1181 in certain scenarios.  I'd vote for
applying
your patch.

I hope someone finds this info helpful.

Jim Young