Pyshark Live Capture Fall Behind Tshark on High Traffic Load

[irfancnk]

I tried starting two different tshark process with the following python script.

import pyshark
import subprocess

packet_count_pyshark = 0
packet_count_tshark = 0

tsharkCall = ["tshark", "-i", "Wi-Fi", "-w", "tshark_capture" + ".pcap"]
print("Starting TShark")
tshark_process = subprocess.Popen(tsharkCall, stderr=subprocess.DEVNULL)
print("Starting Pyshark")
capture = pyshark.LiveCapture(interface='Wi-Fi')
for packet in capture.sniff_continuously():
    packet_count_pyshark += 1
    print("Pyshark : ", packet_count_pyshark)

After executing the script I opened 10 different youtube videos from browser. After waiting around 30 seconds. I cut the program flow with CTRL+C. I saw that the last packet count captured by the pyshark is 6672 however, the number of packets in the tshark pcapng file is 63916. There is a huge gap between the two. I wonder the what is this originated from? Am I doing/understanding something wrong? Any idea is appreciated

[irfancnk]

still no comments on this?

[henrywhitaker3]

You ever figure out what was going wrong with this?

[irfancnk]

I still dont have a precise answer for this. I ended up with using tshark process instead. But I guess the problem is because of the buffering. Since pyshark reads the packets from the stdout of tshark process, in heavy load, the buffer replaces the old packets that are not read by pyshark with the new ones. But this is just a guess. Since the gap is huge, I preferred using tshark process with subprocess module as live capture, then reading the pcap with pyshark file capture.

[muehlt]

I know this issue is old, but I independently found out the same thing as @irfancnk today after searching for the cause of packet loss for ages, stdout is not optimal for this.

[irfancnk]

Just use tshark, then read it with pyshark 👍🏻

[muehlt]

Sure, would be cool to remove the overhead of saving and analyzing the pcap file for my usecase but at some point you'll need to pick this tradeoff anyways :)