I am using a third-party tool that captures network traffic as a pcap file during a network test. When I attempt to play these files back, I use the tcpdump
tool with the -Aq -r
options, and pipe the output to grep. Some of the captures are 600 KB in size, which doesn't seem huge, but they still take a relatively long time to read.
Is tcpdump
reading the pcap file back in real time, and – if so – how can I speed it up?
This is what my chosen tcpdump
options do:
-A
prints packets (minus header) in ASCII, so it's grep- and human-friendly.-q
prints less information, for faster output.-r <FILE>
reads in the given pcap file.
This is an example of an actual command that I've run, where it took forty-five seconds to print sixteen lines, when I would have expected the execution time to be near-instant, or a few seconds at most:
$ tcpdump -Aq -r z2121ecbc0186d9fa07b.pcap | grep POST
Given that the duration of the capture is less than a minute, I'm starting to think that tcpdump -r
causes the capture to play back in real time, but I can't find anything in the man page or online to confirm that, and certainly nothing that tells me if there is a way to turn that off real-time playback.