Performance and efficiency comparing between dump tools: tcpdump, tshark, dumpcap

Question

I'm capturing tcp/udp packets through network adapter and trying to analyze the packets to get some statistical indicator such like bandwidth rate or protocol efficiency. Anyway i need to monitor the network traffic on specific link (src, dst, port, probably overall traffic) using some CLI tools.

My desired capturing tool can be:

• ran for a long time to monitor a large file transferring;

• ran several instances at the same time to monitor different links; (don't want to complex the filter rules);

• able to write data on disk, and i don't want the io operation affect capturing and other process too much, so binary file is ok, as long as it can be dumped by tshark.

Now i'm aware of tshark, tcpdump(currently use it) and dumpcap, but i don't know the performance difference among these tools. Can anybody helP?

Answer 1

Some experiments done while working on TPACKET_V3 support in libpcap found that, currently, tcpdump drops fewer packets than dumpcap. (We'd like to fix dumpcap to do better.)

TShark just runs dumpcap, so it's not going to be any better than dumpcap.