This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Improving performance

0

Hi all,

I am using tshark to sniff HTTP content on a very busy server and I see that the CPU usage of the tshark process is very high.

This is the command line I am using:

tshark.exe -i3 -l -f "tcp port 80" -O http -d tcp.port==80,http -o "ip.use_geoip:FALSE" -R "not tcp.analysis.duplicate_ack" -T fields -e ip.host -e tcp.port -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -e http.content_length -e data -e text -E separator=;2>&0

Is there anything I can do to get the same result - but with better performance? Can anyone point to any part of the command line that might be the reason for the high CPU usage?

Thanks

David

asked 04 Mar '13, 11:34

David%20Sackstein's gravatar image

David Sackstein
31448
accept rate: 0%

2 Answers:

0

Wow, this is some tshark command line. I assume you need the -l because you pipe the output to another tool or script? I think you can leave out the -O http bit, since you later on as for specific fields using -T. I also think you can leave out the -d tcp.port==80,http bit, it's rather obvious tcp port 80 traffic is HTTP, at least that's what the HTTP dissector assumes. I'm not sure these would improve performance though. I recon taking out the -R filter would.

answered 04 Mar '13, 15:00

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Is there anything I can do to get the same result - but with better performance?

please try this:

tshark.exe -n -i3

instead of

tshark.exe -i3

Regards
Kurt

answered 05 Mar '13, 12:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt, Thanks for this tip. Is the order of the options actually important too? Must -n be before -i3? Thanks David

(05 Mar '13, 12:41) David Sackstein

The order does not matter.

(05 Mar '13, 12:48) Kurt Knochner ♦