1

I've been using tcpdump and it's good, but it exhibits issues here. Other programs like hexinject, tcpflow, and tracedump all use pcap so they delay a bit before displaying the packets.

I've also used raw-sockets which does not lag, but I am unable to get port numbers with raw sockets.

I've looked at the docs for tcpdump, and there seems to be --immediate-mode. I'm trying to get tcpdump to stop delaying sending its packets.

My current versions are:

  • tcpdump version 4.6.2

  • libpcap version 1.6.2

Is there a patch for tcpdump like this or another cli that doesn't delay?

Community
  • 1
Dave Chen
  • 133

1 Answers1

3

Is there a patch for tcpdump like this

Yeah, there's this, which, like that patch, adds a flag to turn immediate mode on...

...except that it's not BPF-specific (so it's not restricted to *BSD, OS X, and Solaris 11), and uses --immediate-mode rather than -b, and it's already in the standard tcpdump 4.7.x releases, so if you have tcpdump 4.7.x or later you don't have to apply the patch.

What kind of patch are you looking for? One that doesn't require a recent version of libpcap with an API to turn on immediate mode? If so, either that patch won't work on some OSes or will have to do OS-dependent things (and, unfortunately, there's not some simple ioctl you can do on Linux, so there might not be an OS-dependent way of turning buffering off for your OS).

On the other hand, you could try reducing the timeout to, say, 1/10 of a second (use 100 rather than 1000 in pcap_open_live() or pcap_set_timeout()) or even 1/100 of a second (use 10 rather than 1000 in pcap_open_live() or pcap_set_timeout()).