Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2874] New: dumpcap unnecessarily delays tshark

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 15 Sep 2008 05:25:14 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2874

           Summary: dumpcap unnecessarily delays tshark
           Product: Wireshark
           Version: 1.0.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: stephane_chazelas@xxxxxxxx


Build Information:
TShark 1.0.3

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.16.5, with libpcap 0.9.8, with libz 1.2.3.3, with POSIX
capabilities (Linux), with libpcre 7.6, without SMI, with ADNS, with Lua 5.1,
with GnuTLS 2.4.1, with Gcrypt 1.4.1, with MIT Kerberos.

Running on Linux 2.6.24.2, with libpcap version 0.9.8.

Built using gcc 4.3.2.

--
When using tshark -li-

tshark spawns dumpcap.

dumpcap performs a loop that reads pcap packets from stdin, and writes
instructions to tshark.

However, dumpcap will only send packets to tshark once per second. The code in
dumpcap.c has:

    /* Only update once a second (Win32: 500ms) so as not to overload slow
     * displays. This also prevents too much context-switching between the
     * dumpcap and wireshark processes */

While that can be understood of wireshark, it cannot really of tshark. One
generally wants tshark to output packets as soon as they are received
especially if the -l option is given. IMO, if wireshark has a limitation in
that it shouldn't be refreshed too often, then the waiting should be in the
code of wireshark, not in dumpcap, or at least there should be an option that
wireshark passes to dumpcap to enable that "waiting".



A consequence of that is that the output of tshark is delayed unncessarily.
This is especially annoying for the script I was trying to make:

It is a script that decodes the output of some "tracing" command that outputs
hexdumps of SCCP packets.

It opens a set of pipes (for input and output) to the tshark -Vli- command, and
in a loop does a:

- write a pcap packet to the pipe to tshark input
- read the decoded packet from the pipe from tshark output
- write to stdout the coded and decoded packets

Because of the "sleeping" in dumpcap, that script can only decode one packet
per second.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube