1

When running tcpdump on the command line, packets appear in realtime as they are received. However, when tcpdump is piped into anything, it resorts to buffered output. The -l and -U options are provided to allow configuration of this. However, I find that no matter what options I set, the result is never as fast as running from the raw CLI. I've tried Python with subprocess, tee, and even a Rust wrapper. Packets always appear to be output in batches.

Any ideas?

anderspitman
  • 143
  • 6
  • Are you sure that it is not the client (the reader) that processes them in batches? – Patrick Mevzek Apr 12 '18 at 21:55
  • It's certainly possible. I've tried disabling all buffering in my wrappers and it still doesn't work. Do you have a suggestion for a reliable way to test this? – anderspitman Apr 12 '18 at 22:04
  • 1
    Using unbuffer from the expect package seems to fix it. Not completely sure what that indicates – anderspitman Apr 12 '18 at 22:11
  • Really depends on your code... In many languages, I/O is buffered by default. I also see this as comment in the unbuffer source code: Use a pseudoterminal to circumvent the block buffering performed by the stdio library when standard output is redirected to a file or pipe. Also see https://www.pixelbeat.org/programming/stdio_buffering/: "if stdout is a terminal then buffering is automatically set to line buffered, else it is set to buffered" and "if stdin/stdout are connected to a terminal then default size = 1024; else size = 4096 " – Patrick Mevzek Apr 12 '18 at 22:41
  • 1
    See this answer and the surrounding discussion for a solution and explanations of the issues. – AFH Apr 12 '18 at 22:59

1 Answers1

1

tcpdump now has --immediate-mode, which solved this problem for me. In order to get it to work I used it in conjunction with -l.

See this answer.

anderspitman
  • 143
  • 6