Re: tshark overrun?

[Guy Harris <guy () alum mit edu>]

On Nov 18, 2011, at 7:35 AM, Eric Ewanco wrote:

> When I do "tshark -i eth5 udp -c 1000 -w /tmp/eth5.cap", it displays a count of packets as they come in until they 
> reach the -c threshold.  It never reaches this threshold when the problem manifests itself.

When you do "tcpdump -i eth5 -c 1000 -w /tmp/eth5.cap udp":

        1) there's only one process - tshark does that by running dumpcap with a pipe sending "I've captured N more 
packets" up to tshark

and

        2) tcpdump isn't printing out packet count messages

so it's not entirely surprising that tcpdump drops fewer packets.  You might try just using dumpcap, or using tshark 
but suppressing the packet counts with "-q".

(Or, to put it another way, the counting is the problem.  Tcpdump counts packets, but it doesn't keep telling you about 
them.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe