Wireshark-bugs: [Wireshark-bugs] [Bug 2874] New: dumpcap unnecessarily delays tshark
Date: Mon, 15 Sep 2008 05:25:14 -0700 (PDT)

           Summary: dumpcap unnecessarily delays tshark
           Product: Wireshark
           Version: 1.0.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: [email protected]
        ReportedBy: [email protected]

Build Information:
TShark 1.0.3

Copyright 1998-2008 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO

Compiled with GLib 2.16.5, with libpcap 0.9.8, with libz, with POSIX
capabilities (Linux), with libpcre 7.6, without SMI, with ADNS, with Lua 5.1,
with GnuTLS 2.4.1, with Gcrypt 1.4.1, with MIT Kerberos.

Running on Linux, with libpcap version 0.9.8.

Built using gcc 4.3.2.

When using tshark -li-

tshark spawns dumpcap.

dumpcap performs a loop that reads pcap packets from stdin, and writes
instructions to tshark.

However, dumpcap will only send packets to tshark once per second. The code in
dumpcap.c has:

    /* Only update once a second (Win32: 500ms) so as not to overload slow
     * displays. This also prevents too much context-switching between the
     * dumpcap and wireshark processes */

While that can be understood of wireshark, it cannot really of tshark. One
generally wants tshark to output packets as soon as they are received
especially if the -l option is given. IMO, if wireshark has a limitation in
that it shouldn't be refreshed too often, then the waiting should be in the
code of wireshark, not in dumpcap, or at least there should be an option that
wireshark passes to dumpcap to enable that "waiting".

A consequence of that is that the output of tshark is delayed unncessarily.
This is especially annoying for the script I was trying to make:

It is a script that decodes the output of some "tracing" command that outputs
hexdumps of SCCP packets.

It opens a set of pipes (for input and output) to the tshark -Vli- command, and
in a loop does a:

- write a pcap packet to the pipe to tshark input
- read the decoded packet from the pipe from tshark output
- write to stdout the coded and decoded packets

Because of the "sleeping" in dumpcap, that script can only decode one packet
per second.

Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.