Wireshark-users: Re: [Wireshark-users] Tshark shows packet loss while tcpdump doesn't! - Why?
On Aug 31, 2009, at 10:22 AM, H Aslam wrote:
I'm streaming a video sequence via VLC using RTP and port 1234 and
I'm trying to detect packet loss, jitter and delay.
When I run the following command:
tshark -i 6 -c 5000 -d udp.port==1234,rtp -z rtp,streams
I get a lot of packet loss.
While running tcpdump and thereafter reading the pcap, generated by
tcpdump, in tshark and showing the statistics I get much more
reliable results with 0% packet loss.
I'm running tshark on an embedded Linux.
Why is that?
Because TShark does more work on the packets if you're asking it to
dissect every single packet (which is what it does in that case - it
has to do that in order to calculate RTP statistics) than tcpdump does
if you have it just write the packets out to a file.
In addition, in order to limit the amount of code that runs with
elevated privileges (which are needed, on a number of platforms, in
order to capture traffic), we currently have dumpcap do the capturing
and write to a file, and TShark read from that file. (This may change
to a pipe at some point, but you still have the two-process split -
although, perhaps that will be an advantage on a multi-core machine.)
- something with the filters?
There *is* no filter in
tshark -i 6 -c 5000 -d udp.port==1234,rtp -z rtp,streams
so what it has to do with the filters is "there is no filter so it has
to process packets about which you don't care".
Try
tshark -i 6 -c 5000 -d udp.port==1234,rtp -z rtp,streams udp port 1234
which *does* have a (capture) filter, "udp port 1234". No guarantees
that all the per-packet work done by TShark can be done quickly enough
not to drop packets.
(NOTE: if this traffic is being carried over, say, PPPoE or on a VLAN
or over MPLS, the capture filter would need to be changed, e.g. "pppoe
and udp port 1234" or "vlan and udp port 1234" or "mpls and udp port
1234".)
