[tcpdump-workers] Libpcap timeout settings in tcpdump - too long when printing to a terminal?

Guy Harris guy at alum.mit.edu
Tue Feb 10 18:42:26 EST 2015


On Jan 9, 2015, at 8:30 AM, Michael Richardson <mcr at sandelman.ca> wrote:

> Guy Harris <guy at alum.mit.edu> wrote:
>> The longer timeout can reduce capturing overhead, and if you're
>> capturing a high volume of traffic to a file, it's probably the right
>> timeout to have.  If, however, you're printing packets to the console,
>> you're probably doomed if it's a high volume of traffic, and may want
>> less of a delay if it's a low volume of traffic.
> 
>> Should we reduce the timeout if -w isn't specified - or do so if -w
>> isn't specified *and* if we're outputting to a terminal (isatty(1)
>> returns a non-zero value)?  Should we use immediate mode if libpcap
> 
> Yes, I think that -w not specified, and isatty()==1.

OK, I've implemented that for immediate mode, i.e. immediate mode if -w isn't specified and isatty(1) is true, and added a --immediate-mode flag so the nerds in the audience have a knob to tweak. :-)

If pcap_set_immediate_mode() isn't available, should it set the timeout to a lower value instead, in those cases?

Should we reduce the default timeout?  Should we have a command-line flag to set the timeout?


More information about the tcpdump-workers mailing list