Thank you for the excellent explanation!
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Thursday, January 07, 2010 2:12 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark packets droppped
On Jan 7, 2010, at 10:58 AM, Forthofer Russ wrote:
> Does this mean that dumpcap is more efficient than tshark?
Yes. For one thing, the way tshark captures traffic is to run dumpcap (the same is true of Wireshark); unless tshark does *nothing* other than run dumpcap and wait for it to finish, it will impose *some* additional overhead.
If you run TShark with the "-w" option and without the "-S" option, all it does is get updates from dumpcap saying "I've captured N packets" and write an update to the "total packets captured" count to the standard output. If you also run it with "-q", it won't even do that, but it still updates the count in memory; that's probably the most efficient way to run TShark, but, if that's all you're doing, you might as well just run dumpcap.
If you run TShark without the "-w" option, or with both "-w" and "-S", it will also *dissect* the packets as dumpcap writes them out; in that case, it will do a *lot* more work than dumpcap, in addition to the work dumpcap is doing.
In addition, when it's being run by TShark without "-w" or with "-S", or by Wireshark with "Update list of packets in real time", dumpcap will write out each burst of packets it sees to its output file as the burst arrives, so that a write to the file system happens for each burst; otherwise, it just lets the "C standard I/O library" routines' buffering write to the file system when the buffer fills up or when the capture is done, so that fewer writes are done (with more data per write). That also adds overhead.
> I've never understood the difference between the two programs. Does one have functions the other does not?
Yes. TShark can dissect packets; dumpcap cannot (this is intentional - dumpcap might have to run with elevated privileges in order to capture traffic, and the intent is to minimize the amount of code that has to run with elevate privileges).
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.
