Wireshark-users: Re: [Wireshark-users] Will capturing packets with tcpdump/tshark affect traffic

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 8 Aug 2016 18:28:15 -0700
On Aug 8, 2016, at 5:57 PM, Rayne <hjazz6@xxxxxxxxx> wrote:

> If I use tcpdump or tshark to capture packets on a certain interface, will it interfere with another program that is also receiving packets on that interface? 
> 
> For example, I have a program that receives traffic from eth0, processes it, then forwards the traffic out to another server via eth1. If I were to run tcpdump or tshark (-i eth0) and write the packets to a file, will these packets still be received by my program? The reason I'm running tcpdump/tshark is to check if there is any dropped packet on that interface, but I don't want it to affect the processing of the traffic.

The mere existence of a tap (of whatever type libpcap/WinPcap uses on your platform; as you're saying eth0, it's probably Linux, so the form it takes is a PF_PACKET socket bound to eth0) should not cause packets not to be delivered.

However, the capture process consumes CPU, bus bandwidth, and kernel network buffer resources so it could, conceivably, cause more dropped packets as a result.  It's not *guaranteed* to happen, and probably won't happen unless your system is very heavily loaded, but it could conceivably happen.

Unfortunately, there's not much you can do about it, other than:

	1) using a capture filter to capture *only* the traffic you're interested in;

	2) using a capture program that consumes as little CPU as possible - I'd recommend using tcpdump and writing to a capture file with -w, and then looking at the file afterwards with Wireshark.