Wireshark · Wireshark-users: Re: [Wireshark-users] tshark crash with capture ring buffer (-b) and decoding packets (-S)

Wireshark-users: Re: [Wireshark-users] tshark crash with capture ring buffer (-b) and decoding pa

From: Will Cladek <will.cladek@xxxxxxxxxxxx>

Date: Fri, 11 Jan 2013 14:39:50 -0500

One suggestion would be to avoid doing a full decode and print ("-S") but rather limit the decode output significantly ("tshark -T fields -ehttp.referer").  That might help.  You could also mess with process priorities and the like but I doubt that would buy you much.


It appears that the -S option is required when writing to a ring buffer for it to print out anything -- the -T/-e options won't work alone.  When used together, it seems to add a little time before it crashes, but not much.

So I guess the problem really comes down to the fact that tshark can't decode at line rate.  Using a capture filter to just look at port 80 is probably good enough for my uses, and it seems the data is sufficiently lower that tshark can keep up the decoding.  So thanks for the info, I'll just have to keep that all in mind.

-Will

References:
- [Wireshark-users] tshark crash with capture ring buffer (-b) and decoding packets (-S)
  - From: Will Cladek
- Re: [Wireshark-users] tshark crash with capture ring buffer (-b) and decoding packets (-S)
  - From: Jeff Morriss

Prev by Date: Re: [Wireshark-users] Malformed Packet
Next by Date: Re: [Wireshark-users] Wireshark vs. lt-wireshark
Previous by thread: Re: [Wireshark-users] tshark crash with capture ring buffer (-b) and decoding packets (-S)
Next by thread: Re: [Wireshark-users] error: Neither Qt nor GTK+ 2.12 or later are available, so Wireshark can't be compiled
Index(es):
- Date
- Thread