[Dario Lombardo <lomato@xxxxxxxxx>]

Hi Marty

Did you try nflog/nfqueue interface? If that is not fast enough (I haven't done any comparison), I'd suggest you to have a look at ntop projects (like n2disk). It basically depends if you want to high speed capture or dissection. If you can capture and analyze later, have a look at this extcap module (ntop peoject) that leverages n2disk for running wireshark on the db it creates.

https://github.com/ntop/n2disk/tree/master/wireshark/extcap

On Sun, Mar 10, 2019 at 7:36 PM marty leisner <maleisner@xxxxxxxxx> wrote:

Running on linux, I'm using two sharktap's across the lan/wan ports of a router.

I'm running dumpcap into pipes, and reading the pipes.

I want the packets being emitted to be close time between the ingress/egress packets -- what I'm seeing is a difference of up to

hundreds of milliseconds which is too long for my use.  (on a busy lan, it would be hundred of packets difference).

I've played with PIPE_READ_TIMEOUT and WRITER_THREAD_TIMEOUT and haven't gotten much improvement (some, not much)

Are there good tutorials for pulling packets out of the linux kernel (with or without libpcap) -- or is it UTSL?

marty

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

--

Naima is online.