This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark running background linux

0

Im running this tshark filter and cannot get it to start in background or at least run without an active session. Is there some limitation im missing with tshark? Is there anything I can do to get this to run with me having to ssh and manually start the command? OS= Linux/Debian Squeeze. tshark -R "http.request ==1 and http.user_agent" -T fields -e ip.addr -e http.user_agent -w tshark.log I also tried to redirect output to a file and not use -w (>tshark.log) Thanks in advance!

asked 27 Feb '13, 20:34

sectech's gravatar image

sectech
11113
accept rate: 0%

and cannot get it to start in background or at least run without an active session

how did you try that?

(27 Feb '13, 23:46) Kurt Knochner ♦

I tried adding -q and & at the end, it strips my filter and strips my stdout redirection. I tried an init script for debian i found, and using this command from shell. and output different ways it does the same strips my filter and redirects stdout to /tmp/wiresharkxxx. Im not a nix guru. Im just trying to figure this out as I go. Thanks!

!/bin/bash.

Add more options to tshark, as appropriate to your command....

setsid tshark -R "http.request ==1 and http.user_agent" -T fields -e ip.addr -e http.user_agent -w tshark.log

(28 Feb '13, 04:25) sectech

2 Answers:

0

tshark -R "http.request ==1 and http.user_agent" -T fields -e ip.addr -e http.user_agent -w tshark.log

please run that command in a terminal and read the error message!

It should be something similar than this (depending on the tshark version):

tshark: Read filters aren't supported when capturing and saving the captured packets.

BTW: What are you trying to do? Logging the User-Agent and IP address of HTTP requests as soon as the system starts? If yes: How long do you intend to run that command (minutes, hours, days)?

Regards
Kurt

answered 28 Feb '13, 06:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 28 Feb '13, 06:47

Thanks for the info! hmm so i didnt realize they werent supported. I plan running this 24x7 reading the log and clearing every 5 minutes. Do you have a better solution in mind? I would use iptable logging but they dont read header :(

(28 Feb '13, 06:58) sectech

does it matter if you miss 'some' sessions?

(28 Feb '13, 08:13) Kurt Knochner ♦

0

I don't see how you want to start an application without actually initiating an interactive shell.

Anyway, what I normally do is start tshark in a screen session, then leave it running and detach from the screen session. When I need to access the data, I can reattach to screen.

answered 28 Feb '13, 07:13

gsgleason's gravatar image

gsgleason
6114
accept rate: 0%