This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you make tshark read a ring buffer created by dumpcap?

0

Greetings. I wish to use tshark to monitor an network interface. I understand that in do so, tshark executes dumpcap and dumpcap creates a pcap file that tshark then reads. The only problem is that I have restricted file capacity. I also understand that both tshark and dumpcap can be instructed to use files in a ring buffer manner with the -b option. The question is, can tshark be configured to execute dumpcap so that it writes the pcap data into a ring buffer and then read data from the ring buffer? Thanks in advance.

asked 21 Aug '12, 22:57

richy's gravatar image

richy
0113
accept rate: 0%


2 Answers:

2

The pipe is used for messages from dumpcap to {Wireshark,TShark}; those messages normally say "I've added N more packets to the end of the current capture file". Wireshark and TShark read those messages and, in response to them, read in N packets from the current capture file and process them. There are also "I've switched to a new file" messages, used if not capturing to a single file.

Currently, TShark requires that packets be written to a file specified with -w if you're going to use the ring buffer options. (If you don't specify -w, it just writes to a temporary file, and that will keep getting bigger over time, which is what you don't want).

So you'd have to do something such as

tshark -P -b filesize:{size} -b files:{count} -w /tmp/ringfiles -i eth0

which will write to files in /tmp with names beginning with ringfiles; it will switch files when a file gets bigger than {size}, and will keep only {count} such files around. -P will cause it to read and dissect the packets as they arrive, which, in your reply, you indicated that you want (had you indicated that in your question, for example, indicating that you want TShark to read the ring buffer files as it runs, rather than writing to a file without printing packet dissections and then running TShark on the saved files after you've finished running a dump to the files, the original answer might have applied better to the problem you were trying to solve).

answered 22 Aug '12, 16:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

tshark can capture into a ring buffer by using the -b option you already mentioned, if you use it with the files:NUM parameter. And of course you can read the resulting trace files with tshark, but only one by one. If you need to read more than one file at once you can try to merge them together into a larger file using mergecap, but you need to keep in mind that the file might become too large to be read without a crash if you merge too many files.

answered 22 Aug '12, 00:01

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thanks but the whole point of the exercise is to capture traffic and analyze it with tshark in real time. When I do this using the -i eth0 (for instance) option the file which written to by dumpcap (as executed by tshark) amd read by tshark just grows until it exhausts the available disk space. When looking at the /proc/PID/fd directories for each, I noticed that they share a pipe. Even though the tshark is reading the filesystem file created by dumpcap. I assume the pipe is some kind of interprocess control channel. And that leads me to believe that there must be a way for ring buffer style transfer of pcap data between dumpcap and tshark in real time. Anyone else have any ideas?

(22 Aug '12, 15:00) richy