Re: realtime dumpcap capability

[Dario Lombardo <lomato () gmail com>]

Hi Marty
Did you try nflog/nfqueue interface? If that is not fast enough (I haven't
done any comparison), I'd suggest you to have a look at ntop projects (like
n2disk). It basically depends if you want to high speed capture or
dissection. If you can capture and analyze later, have a look at this
extcap module (ntop peoject) that leverages n2disk for running wireshark on
the db it creates.

https://github.com/ntop/n2disk/tree/master/wireshark/extcap

On Sun, Mar 10, 2019 at 7:36 PM marty leisner <maleisner () gmail com> wrote:

> Running on linux, I'm using two sharktap's across the lan/wan ports of a
> router.
>
> I'm running dumpcap into pipes, and reading the pipes.
>
> I want the packets being emitted to be close time between the
> ingress/egress packets -- what I'm seeing is a difference of up to
> hundreds of milliseconds which is too long for my use.  (on a busy lan, it
> would be hundred of packets difference).
>
> I've played with PIPE_READ_TIMEOUT and WRITER_THREAD_TIMEOUT and haven't
> gotten much improvement (some, not much)
>
> Are there good tutorials for pulling packets out of the linux kernel (with
> or without libpcap) -- or is it UTSL?
>
> marty
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe



-- 

Naima is online.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe