Bash – One second delay before tcpdump returns packets

bashlinux-networkingtcpdumpwifi

Using Ubuntu, I'm trying to sync tcpdump sniffing with self-identifying "pings" from a client device. The problem is that getting precise starts and stops is made difficult by what looks like a built-in delay in tcpdump. Here's the key line from my script:

sudo timeout .5s tcpdump -i wlan0 -e

When I set timeout to stop tcpdump after, say, half a second (as in my example), no packets are returned. In fact, any value lower than 1.1s fails to return packets (while 1.1 and longer work wonderfully).

I've tried adding the -n argument to suppress DNS but that made no difference. I also tried this with two entirely different wifi cards (Intel Centrino and TP-Link N900) to make sure that it wasn't just a hardware "feature".

I'm not a developer, but I grep-ed the tcpdump source code for "delay", "latency", and "timeout" but nothing came up that seemed responsible.

Any ideas?

Best Answer

gnu coreutils timeout.c has a fallback for systems without timer_settime() - it will revert to single-second resolution:

/* timer_settime() provides potentially nanosecond resolution.
setitimer() is more portable (to Darwin for example),
but only provides microsecond resolution and thus is
a little more awkward to use with timespecs, as well as being
deprecated by POSIX.  Instead we fallback to single second
resolution provided by alarm().  */

perhaps thats your issue. i don't run ubuntu so i can't check firsthand, but for example my openbsd machine only has setitimer(), so it would only use full-second timeouts for me

--edit: on second look it still should wait atleast 1 second, unless its rounding down...or somehow tcpdump is getting an early sigterm ...and maybe there are just no packets during the interval?

Related Solutions

Linux – Unknown tcpdump packets

It looks like it is your Cisco switches running the Spanning Tree Protocol. (I did a look up 00:15:c6 is a Cisco MAC and 01:00:0c:cc:cc:cd is the multicast MAC address Cisco Shared Spanning Tree Protocol).

If you don't have any loops in your switch topology you could turn it off, but I doubt it will impact performance.

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Best Answer

Related Solutions

Linux – Unknown tcpdump packets

tcpdump – How to Capture ACK or SYN Packets

Related Topic