Wireshark mailing list archives
Re: tshark crash with capture ring buffer (-b) and decoding packets (-S)
From: Will Cladek <will.cladek () nrl navy mil>
Date: Fri, 11 Jan 2013 14:39:50 -0500
One suggestion would be to avoid doing a full decode and print ("-S") but rather limit the decode output significantly
("tshark -T fields -ehttp.referer"). That might help. You could also mess with process priorities and the like but I doubt that
would buy you much.
It appears that the -S option is required when writing to a ring buffer for it to print out anything -- the -T/-e options won't work alone. When used together, it seems to add a little time before it crashes, but not much. So I guess the problem really comes down to the fact that tshark can't decode at line rate. Using a capture filter to just look at port 80 is probably good enough for my uses, and it seems the data is sufficiently lower that tshark can keep up the decoding. So thanks for the info, I'll just have to keep that all in mind. -Will ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark crash with capture ring buffer (-b) and decoding packets (-S) Will Cladek (Jan 11)
- Re: tshark crash with capture ring buffer (-b) and decoding packets (-S) Jeff Morriss (Jan 11)
- Re: tshark crash with capture ring buffer (-b) and decoding packets (-S) Will Cladek (Jan 11)
- Re: tshark crash with capture ring buffer (-b) and decoding packets (-S) Jeff Morriss (Jan 11)