This is a static archive of our old Q&A Site. Please post any new questions and answers at

Rolling packet data capture using tshark live.


Lets say if i want to capture the wireshark capture GUI column data live to a windows txt file using tshark. The tshark command will be like this : tshark -i your_interface -n > your _path _to _text _file I would like to ROLL the windows txt file that conatins the wireshark capture GUI column data that is captured live. The windows batch file will then run the java files that process the txt file data that has just rolled (The packet data info had stopped appending to the same file) while more the packet data is captured to another txt file live. The whole process will repeat. My goal is to automate this whole process by writing a windows 7 batch file and run it on boot.(Placing the written batch file on the STARTUP folder so the batch file will execute). i tried this command on windows 7 CLI: tshark -i 3 -b filesize:1024 -b files:5 -n> "C:\\Users\\L33604\\Desktop\\Folder\\Capture.txt" The error message was thrown tshark : maximum capture file size specified, but capture isn't saved to a file. I know that this command would never run the java file that processes the txt file that has been just rolled. How would the above tshark command change and how would the batch file be written to execute the whole process i described?? Or any better recommendation? The main idea is

  1. rolling captured packet data live using tshark command.
  2. running java files that process the single txt file just rolled while live capturing is still going on to another txt file in a multitasking manner.
  3. Once after the java file has finished executing its codes, wait for more packet data to be captured to the other txt file to its limit then run the same java files again.

asked 24 Apr '12, 18:38

misteryuku's gravatar image

accept rate: 0%

edited 30 Apr '12, 07:10

grahamb's gravatar image

grahamb ♦

Modifying your question so heavily that the previous answers barely make sense isn't the correct way to use this site. Minor edits to clarify things are acceptable.

You ask a question, others answer it, you then accept all answers that solve your issue so that others who have a similar question can see the answers given that helped you and help themselves.

If you have another question, then please create a new one, so that the the correct answers will appear after it.

I have reverted your question to its original state.

(30 Apr '12, 07:05) grahamb ♦

2 Answers:


You're assuming that the -b options apply when writing out dissected packet information in text form rather than when writing out raw binary packet data in pcap or pcap-ng form; they do not.

Dissected packet information is written to the standard output, which is not necessarily being written to a file; even if it happens to be written to a file, TShark has no control over the file - it just gets its standard output redirected to a file by the program that runs it - probably cmd.exe in your case.

You would have to pipe the output of TShark to another program; that program could, for example, be given an argument specifying the path to the directory into which to write the files and part of the name to be given to the files, and could read its standard input and write it to a file and, when that file reaches its maximum size, close that file, open a new file, and continue writing its standard input to the new file. I don't know whether any such programs already exist, either for UN*X or Windows; if not, you might have to write it.

answered 25 Apr '12, 12:16

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

I wanted the output as the wireshark GUI column data when i call this tshark command tshark -i your_interface -n > your _path _to _text _file. So if that kind of text output were to be generated form tshark, then can i also pipe the text output from the tshark command tshark -i your_interface -n > your _path _to _text _file to another program instead of piping the standard output??

(25 Apr '12, 20:07) misteryuku

If you're piping the output from tshark, there's no > in the tshark command; the command would be something such as

tshark -i your_interface -n | your_program

That will write the column data (as you haven't used the -V flag) to a pipe and the pipe will be the standard input of "your_program".

(26 Apr '12, 09:36) Guy Harris ♦♦


to hand over the capture files you will have to implement a "directory watcher" in java, that fires every time a new file is created in your working directory. tshark itself will not tell your external java programm when it creates a new "rolling" capture file. You can find some information about a "directory watcher" in java here:

I think you will get further information in a java programmer forum.

BTW: Why not using a libpcap wrapper in java altogether, instead of tshark?




answered 30 Apr '12, 09:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%