5

I am using a third-party tool that captures network traffic as a pcap file during a network test. When I attempt to play these files back, I use the tcpdump tool with the -Aq -r options, and pipe the output to grep. Some of the captures are 600 KB in size, which doesn't seem huge, but they still take a relatively long time to read.

Is tcpdump reading the pcap file back in real time, and – if so – how can I speed it up?

This is what my chosen tcpdump options do:

  • -A prints packets (minus header) in ASCII, so it's grep- and human-friendly.
  • -q prints less information, for faster output.
  • -r <FILE> reads in the given pcap file.

This is an example of an actual command that I've run, where it took forty-five seconds to print sixteen lines, when I would have expected the execution time to be near-instant, or a few seconds at most:

$ tcpdump -Aq -r z2121ecbc0186d9fa07b.pcap | grep POST

Given that the duration of the capture is less than a minute, I'm starting to think that tcpdump -r causes the capture to play back in real time, but I can't find anything in the man page or online to confirm that, and certainly nothing that tells me if there is a way to turn that off real-time playback.

Steve HHH
  • 7,430

1 Answers1

11

Use -n to suppress DNS lookups.

Reading the file, analyzing it and transforming it to text output is usuall very fast and can only take time if the file is very large. In all other cases it's the name resolution that slows things down, typicaly waiting for a DNS server to answer and sometimes wating for timeout if it doesn't.

There's no playback in real time and no reason for that. When used with a file, tcpdump just transforms the file into readable output.

Pavel Šimerda
  • 852