This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark delays with -l flush with piped input

0

Hi, I'm using tshark with a "special feeding application" as described on https://wiki.wireshark.org/CaptureSetup/Pipes I am seeing significant delays in packets being displayed from tshark.

I can reproduce this using a pipe to stdin from tcpdump:

sudo tcpdump -i en0 -w - -U icmp | tshark -r - -l

where my pings are not displayed packet-by-packet, but instead in batches, as can be seen in the following gist https://gist.github.com/sk2/b0df982766eec12c40d2

Sep 01 20:08:03   1 10:37:47.179530 192.168.178.20 -> 192.168.178.1 ICMP 70 Destination unreachable (Port unreachable)
Sep 01 20:08:03   2 10:37:47.530679 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
Sep 01 20:08:03   3 10:37:47.576863 150.101.140.197 -> 192.168.178.20 ICMP 98 Echo (ping) reply    
Sep 01 20:08:03   4 10:37:48.531085 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
Sep 01 20:08:03   5 10:37:48.561909 150.101.140.197 -> 192.168.178.20 ICMP 98 Echo (ping) reply    
Sep 01 20:08:03   6 10:37:49.535383 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request
Sep 01 20:08:03   7 10:37:49.571962 150.101.140.197 -> 192.168.178.20 ICMP 98 Echo (ping) reply    
Sep 01 20:08:03   8 10:37:50.540535 192.168.178.20 -> 150.101.140.197 ICMP 98 Echo (ping) request

if I change from tshark to Wireshark, then the packets display as they are received from tcpdump

sudo tcpdump -i en0 -w - -U icmp | wireshark -k -i -

Do I need any additional options to the -l flag to flush the output from tshark? I am using TShark 1.12.6 (v1.12.6-0-gee1fce6 from master-1.12) on OS X Yosemite.

Thanks

asked 01 Sep '15, 04:02

eskaytwo's gravatar image

eskaytwo
6113
accept rate: 0%

edited 01 Sep '15, 17:12