Hello and welcome to the Friday, November 17, 2020,

edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

I did a very brief diary today about TCP dump and, well, how to speed it up a little bit.

So many people are using TCP dump a day in the day out, but you know, you often don't really bother looking at so of the details of the command line options.

The most obvious thing to speed TCP dump up is usually the use of the dash and switch

to prevent reverse lookups. And that's a good idea for a number of reasons, not just for speed.

But there are a couple of other command line options that do affect speed.

And the two that probably matter the most here is Q and T.

Q will just make TisB dump quieter, so basically produce less output.

With that, of course, Tidump also has to analyze less, and that gave sort of about 30% or so a performance gain.

The other option may not be that obvious.

That's T.

T disables display of the timestamp, and the timestamp should be pretty straightforward and simple to analyze, but also sort of gets you a 25 to 30% performance gain if you are

turning off, displaying the timestamp, and then of course best if you disable both

timestamps and run it in quiet mode, which gets you about a 50% speed improvement.

Now, the quiet option is not always appropriate because you really see a lot less details

about the packet, pretty much just sort of IP addresses and maybe ports.

So the T option, I think, is really something to keep in mind if you want to speed up things

a little bit with T-Sb-Dump.

Then this was just a quick test on my M1 Mac.

If you get different numbers, please let me know.

...