Tshark read offline file start so slow

Question

I execute tshark (wireshark utility) command that reading from pcap file. Process is too slow. Sometimes take more than 6-7 seconds. Pcap file is really small (~500bytes). Actually strange thing is that re-execute same command consequently, process duration is decreasing dramatically. After wait about half minute (without execution command), re-run same command and process completion duration increase again. Why process behave like that? How to check what is going on in deep?

Command :

tshark -r test.pcap

OS : SunOS er 5.10 Generic_147441-01 i86pc i386 i86pc

Thanks

score 0 · Answer 1 · answered Feb 26 '13 at 17:11

0

This may be due to DNS resolution of hostnames. Add the -n parameter to disable this and see if it speeds it up:

tshark -n -r test.pcap

If this solves the issue you probably want to enable MAC and port number lookups again like this:

tshark -N mt -r test.pcap

You could also try the asynchronous DNS lookup by adding C to that list:

tshark -N mtC -r test.pcap

answered Feb 26 '13 at 17:11

mgorven

30,615
7
79
122

-n parameter is not changed anything – Erdinç Taşkın Feb 26 '13 at 18:09

Tshark read offline file start so slow

1 Answers1