Hi, I'm using tshark with a "special feeding application" as described on https://wiki.wireshark.org/CaptureSetup/Pipes I am seeing significant delays in packets being displayed from tshark.
I can reproduce this using a pipe to stdin from tcpdump:
sudo tcpdump -i en0 -w - -U icmp | tshark -r - -l
where my pings are not displayed packet-by-packet, but instead in batches, as can be seen in the following gist https://gist.github.com/sk2/b0df982766eec12c40d2
Sep 01 20:08:03 1 10:37:47.179530 192.168.178.20 -> 192.168.178.1 ICMP 70 Destination unreachable (Port unreachable)
Sep 01 20:08:03 2 10:37:47.530679 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
Sep 01 20:08:03 3 10:37:47.576863 150.101.140.197 -> 192.168.178.20 ICMP 98 Echo (ping) reply
Sep 01 20:08:03 4 10:37:48.531085 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
Sep 01 20:08:03 5 10:37:48.561909 150.101.140.197 -> 192.168.178.20 ICMP 98 Echo (ping) reply
Sep 01 20:08:03 6 10:37:49.535383 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
Sep 01 20:08:03 7 10:37:49.571962 150.101.140.197 -> 192.168.178.20 ICMP 98 Echo (ping) reply
Sep 01 20:08:03 8 10:37:50.540535 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
if I change from tshark to Wireshark, then the packets display as they are received from tcpdump
sudo tcpdump -i en0 -w - -U icmp | wireshark -k -i -
Do I need any additional options to the -l flag to flush the output from tshark? I am using TShark 1.12.6 (v1.12.6-0-gee1fce6 from master-1.12) on OS X Yosemite.
Thanks
asked 01 Sep '15, 04:02
eskaytwo
6●1●1●3
accept rate: 0%
