Reputation: 720
Performance and efficiency comparing between dump tools: tcpdump, tshark, dumpcap
I'm capturing tcp/udp packets through network adapter and trying to analyze the packets to get some statistical indicator such like bandwidth rate or protocol efficiency. Anyway i need to monitor the network traffic on specific link (src, dst, port, probably overall traffic) using some CLI tools.
My desired capturing tool can be:
ran for a long time to monitor a large file transferring;
ran several instances at the same time to monitor different links; (don't want to complex the filter rules);
able to write data on disk, and i don't want the io operation affect capturing and other process too much, so binary file is ok, as long as it can be dumped by tshark.
Now i'm aware of tshark, tcpdump(currently use it) and dumpcap, but i don't know the performance difference among these tools. Can anybody helP?
Upvotes: 6
Views: 5278
Answers (1)
Reputation:
Some experiments done while working on TPACKET_V3 support in libpcap found that, currently, tcpdump drops fewer packets than dumpcap. (We'd like to fix dumpcap to do better.)
TShark just runs dumpcap, so it's not going to be any better than dumpcap.
Upvotes: 5
Related Questions
- dumpcap, save to text file and line separated
- Export raw packet bytes in tshark, tcpdump, or similar?
- What is the difference between these 2 TCP packet captures? One doesn't work
- tcpdump / wireshark capturing problems
- using either tcpdump or tshark to produce json file?
- Understanding tshark output
- Get tcpstream - wireshark vs tshark
- tcpdump vs tcpflow (or "why isn't tcpdump ASCII packet data human readable?")
- Difference between two similar tcpdump filters
- Tool to monitor/record TCP streams