Wireshark-users: Re: [Wireshark-users] tshark packets droppped
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 7 Jan 2010 11:12:17 -0800
On Jan 7, 2010, at 10:58 AM, Forthofer Russ wrote:

> Does this mean that dumpcap is more efficient than tshark?

Yes.  For one thing, the way tshark captures traffic is to run dumpcap (the same is true of Wireshark); unless tshark does *nothing* other than run dumpcap and wait for it to finish, it will impose *some* additional overhead.

If you run TShark with the "-w" option and without the "-S" option, all it does is get updates from dumpcap saying "I've captured N packets" and write an update to the "total packets captured" count to the standard output.  If you also run it with "-q", it won't even do that, but it still updates the count in memory; that's probably the most efficient way to run TShark, but, if that's all you're doing, you might as well just run dumpcap.

If you run TShark without the "-w" option, or with both "-w" and "-S", it will also *dissect* the packets as dumpcap writes them out; in that case, it will do a *lot* more work than dumpcap, in addition to the work dumpcap is doing.

In addition, when it's being run by TShark without "-w" or with "-S", or by Wireshark with "Update list of packets in real time", dumpcap will write out each burst of packets it sees to its output file as the burst arrives, so that a write to the file system happens for each burst; otherwise, it just lets the "C standard I/O library" routines' buffering write to the file system when the buffer fills up or when the capture is done, so that fewer writes are done (with more data per write).  That also adds overhead.

> I've never understood the difference between the two programs.  Does one have functions the other does not?

Yes.  TShark can dissect packets; dumpcap cannot (this is intentional - dumpcap might have to run with elevated privileges in order to capture traffic, and the intent is to minimize the amount of code that has to run with elevate privileges).