tshark & etherXXXX files under /tmp directory

Question

Hello,

I am running tshark on a virtual machine running centOS, the version info is as below:

sudo /usr/sbin/tshark -v TShark 1.0.15 Copyright 1998-2010 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.4.4, with MIT Kerberos. Running on Linux 2.6.18-194.26.1.el5, with libpcap version 0.9.4.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-48).

I run tshark as below:

sudo /usr/sbin/tshark -i eth0 Running as user "root" and group "root". This could be dangerous. Capturing on eth0 0.000000 192.168.179.1 -> 192.168.179.128 ICMP Echo (ping) request 0.000031 192.168.179.128 -> 192.168.179.1 ICMP Echo (ping) reply 2 packets captured

ls -l /tmp/ether* -rw——- 1 root root 152248 Jan 21 14:34 /tmp/etherXXXX2swaYE -rw——- 1 root root 24 Jan 21 14:48 /tmp/etherXXXX9YWKQw -rw——- 1 root root 924 Jan 21 14:49 /tmp/etherXXXXE4GGXo -rw——- 1 root root 24 Jan 21 14:35 /tmp/etherXXXXUMJJll -rw——- 1 root root 24 Jan 21 14:26 /tmp/etherXXXXvCdj8e

tshark creates these temporary files that are not getting deleted automatically, eventually I run out of space on that partition.

Is there any way to run tshark to dump packets on the “standard output” without these files getting created ??

Any help / advice is greatly appreciated.

Thanks /R

Answer 1

These temporary files are needed, but you can have them automatically removed on longer running captures. Look into the tshark man page and look at the -b option, the capture file ring buffer.

For the rest it's up to your system to clean up /tmp, which it does at reboot.