Re: Faster: tshark or tcpcump?

[Guy Harris <guy () alum mit edu>]

On Oct 30, 2011, at 2:43 PM, Chip wrote:

> For grabbing only the endpoint ips for https and http traffic, which is faster when dealing with high-bandwidth 
> traffic, tshark or tcpdump?

If you want to capture it into a pcap file, and not do any dissection in the process, TShark doesn't offer any 
advantage - it just runs dumpcap and, if run without "-q", keeps track of how many packets dumpcap says it's captured 
and displays that.

I've never measured tcpdump and dumpcap on high-bandwidth traffic; I suspect there won't be a big difference.

> I need to grab only the end to end point ips along with timestamp,

If you truly care only about the endpoint IP addresses, then, if you only care about a known set of TCP ports (80, 443, 
maybe others), I'd capture with the appropriate "tcp port 80 or 443 or..." filter, and a snapshot length sufficient to 
capture all the relevant headers, including the IP header, but not, for example, the TCP header.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe