Why is there a long delay between pcap_loop() and getting a packet?

I'm using 10000

The to_ms argument to pcap_open_live() and pcap_set_timeout() is in milliseconds.

10000 milliseconds is 10 seconds.

Try using 1000, which is the value tcpdump uses - that'll reduce the delay to 1 second - or using 100, which is the value Wireshark uses - that'll reduce the delay to 1/10 second.

I read on a tutorial about this field: " on at least some platforms, this means that you may wait until a sufficient number of packets arrive before seeing any packets, so you should use a non-zero timeout"

The tutorial in question is the tcpdump.org "How to use libpcap" tutorial, and the passage in question was added in this CVS commit:

revision 1.8date: 2005/08/27 23:58:39;  author: guy;  state: Exp;  lines: +34 -31Use a non-zero timeout in pcap_open_live(), so you don't wait for abufferful of packets before any are processed.Correctly explain the difference between pcap_loop() andpcap_dispatch().In sniffex.c, don't print the payload if there isn't any.

so I'm familiar with it. :-)

I'd have to spend some time looking at the Linux kernel code (again) to see what effect a timeout value of 0 would have on newer kernels. However, when writing code that uses libpcap/WinPcap to do live captures, you should always act as if you're writing code for such a platform; your code will then be more portable to other platforms and will not break if the behavior of a zero timeout changes.