The -l argument for tshark is supposed to display the dissection data immediately. However, it has no effect. I have a custom dissector sending data to another program. The other program is currently receiving it in bursts at about 2 times a second. This is far to slow. If -l does not work is there anyway to force wireshark or tshark to make these bursts happen more frequently? Currently none of the preferences I have toyed with have made an impact, including buffer size. Thank You asked 11 Jul '17, 11:52  afay |
One Answer:
In this case it's dumpcap that is the source of the delay: it only sends packets up to tshark once every 500msec (twice a second). Bug 2874 contains some details. It seems the solution is to have tshark read from a pipe instead of from dumpcap. answered 11 Jul '17, 15:06  JeffMorriss ♦ |
Thank You!
You're welcome. BTW this is a Q&A site so please be sure to Accept the answer (assuming it answers your question) by clicking on the checkmark next to the answer. That way the question won't show up as "unanswered."