This is our old Q&A Site. Please post any new questions and answers at

Im running this tshark filter and cannot get it to start in background or at least run without an active session. Is there some limitation im missing with tshark? Is there anything I can do to get this to run with me having to ssh and manually start the command? OS= Linux/Debian Squeeze. tshark -R "http.request ==1 and http.user_agent" -T fields -e ip.addr -e http.user_agent -w tshark.log I also tried to redirect output to a file and not use -w (>tshark.log) Thanks in advance!

asked 27 Feb '13, 20:34

sectech's gravatar image

accept rate: 0%

and cannot get it to start in background or at least run without an active session

how did you try that?

(27 Feb '13, 23:46) Kurt Knochner ♦

I tried adding -q and & at the end, it strips my filter and strips my stdout redirection. I tried an init script for debian i found, and using this command from shell. and output different ways it does the same strips my filter and redirects stdout to /tmp/wiresharkxxx. Im not a nix guru. Im just trying to figure this out as I go. Thanks!


Add more options to tshark, as appropriate to your command....

setsid tshark -R "http.request ==1 and http.user_agent" -T fields -e ip.addr -e http.user_agent -w tshark.log

(28 Feb '13, 04:25) sectech

tshark -R "http.request ==1 and http.user_agent" -T fields -e ip.addr -e http.user_agent -w tshark.log

please run that command in a terminal and read the error message!

It should be something similar than this (depending on the tshark version):

tshark: Read filters aren't supported when capturing and saving the captured packets.

BTW: What are you trying to do? Logging the User-Agent and IP address of HTTP requests as soon as the system starts? If yes: How long do you intend to run that command (minutes, hours, days)?


permanent link

answered 28 Feb '13, 06:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 28 Feb '13, 06:47

Thanks for the info! hmm so i didnt realize they werent supported. I plan running this 24x7 reading the log and clearing every 5 minutes. Do you have a better solution in mind? I would use iptable logging but they dont read header :(

(28 Feb '13, 06:58) sectech

does it matter if you miss 'some' sessions?

(28 Feb '13, 08:13) Kurt Knochner ♦

I don't see how you want to start an application without actually initiating an interactive shell.

Anyway, what I normally do is start tshark in a screen session, then leave it running and detach from the screen session. When I need to access the data, I can reattach to screen.

permanent link

answered 28 Feb '13, 07:13

gsgleason's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 27 Feb '13, 20:34

question was seen: 5,475 times

last updated: 28 Feb '13, 08:13

p​o​w​e​r​e​d by O​S​Q​A