On Nov 18, 2011, at 7:35 AM, Eric Ewanco wrote:
> When I do "tshark -i eth5 udp -c 1000 -w /tmp/eth5.cap", it displays a count of packets as they come in until they reach the -c threshold. It never reaches this threshold when the problem manifests itself.
When you do "tcpdump -i eth5 -c 1000 -w /tmp/eth5.cap udp":
1) there's only one process - tshark does that by running dumpcap with a pipe sending "I've captured N more packets" up to tshark
and
2) tcpdump isn't printing out packet count messages
so it's not entirely surprising that tcpdump drops fewer packets. You might try just using dumpcap, or using tshark but suppressing the packet counts with "-q".
(Or, to put it another way, the counting is the problem. Tcpdump counts packets, but it doesn't keep telling you about them.)