Wireshark-users: Re: [Wireshark-users] Faster: tshark or tcpcump?

Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 30 Oct 2011 16:49:52 -0700
On Oct 30, 2011, at 2:43 PM, Chip wrote:

> For grabbing only the endpoint ips for https and http traffic, which is faster when dealing with high-bandwidth traffic, tshark or tcpdump?

If you want to capture it into a pcap file, and not do any dissection in the process, TShark doesn't offer any advantage - it just runs dumpcap and, if run without "-q", keeps track of how many packets dumpcap says it's captured and displays that.

I've never measured tcpdump and dumpcap on high-bandwidth traffic; I suspect there won't be a big difference.

> I need to grab only the end to end point ips along with timestamp,

If you truly care only about the endpoint IP addresses, then, if you only care about a known set of TCP ports (80, 443, maybe others), I'd capture with the appropriate "tcp port 80 or 443 or..." filter, and a snapshot length sufficient to capture all the relevant headers, including the IP header, but not, for example, the TCP header.