Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Tshark shows packet loss while tcpdump doesn't! - Why?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 31 Aug 2009 14:47:29 -0700

On Aug 31, 2009, at 10:22 AM, H Aslam wrote:

I'm streaming a video sequence via VLC using RTP and port 1234 and I'm trying to detect packet loss, jitter and delay.

When I run the following command:

tshark -i 6 -c 5000  -d udp.port==1234,rtp -z rtp,streams

I get a lot of packet loss.

While running tcpdump and thereafter reading the pcap, generated by tcpdump, in tshark and showing the statistics I get much more reliable results with 0% packet loss.

I'm running tshark on an embedded Linux.

Why is that?

Because TShark does more work on the packets if you're asking it to dissect every single packet (which is what it does in that case - it has to do that in order to calculate RTP statistics) than tcpdump does if you have it just write the packets out to a file.

In addition, in order to limit the amount of code that runs with elevated privileges (which are needed, on a number of platforms, in order to capture traffic), we currently have dumpcap do the capturing and write to a file, and TShark read from that file. (This may change to a pipe at some point, but you still have the two-process split - although, perhaps that will be an advantage on a multi-core machine.)

- something with the filters?

There *is* no filter in

	tshark -i 6 -c 5000  -d udp.port==1234,rtp -z rtp,streams

so what it has to do with the filters is "there is no filter so it has to process packets about which you don't care".

Try

	tshark -i 6 -c 5000  -d udp.port==1234,rtp -z rtp,streams udp port 1234

which *does* have a (capture) filter, "udp port 1234". No guarantees that all the per-packet work done by TShark can be done quickly enough not to drop packets.

(NOTE: if this traffic is being carried over, say, PPPoE or on a VLAN or over MPLS, the capture filter would need to be changed, e.g. "pppoe and udp port 1234" or "vlan and udp port 1234" or "mpls and udp port 1234".)