Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Delays in real-time packet capture

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 25 Sep 2006 10:52:10 -0700
Richard van der Hoff wrote:

The only concern with this would be that dumpcap would presumably then send a packet count after every packet - which might mean a significant quantity of data.

Every batch of packets, at least.

Some OSes support packet batching, so that a single read from the capture device can supply multiple packets; those OSes support a timeout, so that the read either waits for a full batch or for a timer to expire, so you don't wait indefinitely for a full batch.

(Note that this timer is *NOT* necessarily started when the read starts; the timer on SunOS 5.x, for example, starts when the first packet arrives. I.e., this timer does *NOT* guarantee that a read will wait no longer than the timeout, and will return at that point if no packets have arrived; that does *NOT* happen on SunOS 5.x.)

BSDs (including OS X) support that in BPF (AIX's BPF doesn't work correctly, so the timeout doesn't work and isn't used). As indicated, SunOS 3.x/4.x/5.x support it, too, as do Digital/Tru64 Unix and Windows with WinPcap.

Linux, however, doesn't support batching, at least not in PF_PACKET sockets.