This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello

I have looked in the forum but i wasn't able to find the right question here nor answer i'm looking for. I'm using windows 2008 server and using tshark to capture directy from the NIC card and output a CSV text of atributes to the screen. (stdout)

But I got a number of times when tshark stopped working. after checking i have found out that it writes a TMP file into C:\Users\%Username%\AppData\Local\Temp

It has grown too big and i must stop the process to delete it and then start the process again. I have checked but i wasn't able to find a way to disable the tmp file. I tried the -w - or the -b but none has any effect.

Can someone please point me to the correct way to stop the temp file. or the a correct way to deal with this issue without stopping the service? like rotate the tmp file or limiting at a fixed size etc..

thank you Lior

asked 03 Aug '13, 04:21

liorh007's gravatar image

liorh007
1112
accept rate: 0%

edited 03 Aug '13, 04:23

Hi thank you all for the answers , but here is more info. 1. I must use tshark as a service for long time 24/7. it never got stuck , but i got a very large temp file 2. I'm using the -R filter option with -T fields and -e for attributes to create a CSV text output. 3. the computer is very strong with few cpu's and lots of memory 4. Guy is right and dumpcap won't help me. 5. I have taken the advice of using the -b filesize/num and added an output file with -w, however they don't work with -R so i'm back in/to square one :-(

is there any way to make it work? the key is having the -b work with -R ;-) also i'm willing to think outside the box and maybe : is there a way to make dumpcap output a filtered CSV text info a file by itself and i would us this file as an input?

thank you

(04 Aug '13, 23:04) liorh007

Try using dumpcap it works really well and can create multiple files for you, you can provide the time or volume after which a new file should be created as well as you can provide the max number of files that should be rotated

eg: dumpcap -i any -b filesize:153600 -b files:2000 -Z none -f port 2123 -w c:\Traces\tracesaug.snoop

permanent link

answered 03 Aug '13, 10:18

RAVI_TANDON's gravatar image

RAVI_TANDON
10447
accept rate: 0%

edited 03 Aug '13, 10:19

Hi thank you for the answer , however as i checked dumpcap does not support filters, which is what i'm doing with tshark to output the CSV atributes . so i must use tshark. is there a way to combine the dumpcap file features with tshark? i can live with rotating files, (ie delete them as needed) thank you Lior

(03 Aug '13, 14:00) liorh007

is there a way to combine the dumpcap file features with tshark?

Yes. See my answer.

(03 Aug '13, 14:35) Guy Harris ♦♦

@liorh007, dumpcap supports capture filters, what is the filter expression you're using.

(04 Aug '13, 08:15) grahamb ♦

"filter" is a word that's sometimes used to refer to actual filters, i.e. packet-matching expressions used to choose which packets to capture/save/show and which ones not to capture/save/show, and other times used to refer to named fields (whenever I catch "filter" used in a bug title to mean "named field", I fix it).

If he means "named fields", which I'm guessing he does from "dumpcap does not support filters, which is what i'm doing with tshark to output the CSV atributes", then dumpcap won't do the job.

(04 Aug '13, 11:43) Guy Harris ♦♦

Unfortunately, TShark currently doesn't support any mechanism other than temporary files to pass packets from dumpcap to it; that's bug 2743. That bug would require some work to fix.

You could, however, use flags such as -b filesize:size and -b files:nfiles with TShark as well; they're passed on to dumpcap. Pick a small value for nfiles and a not-too-large value for size, and that won't take up too much disk space - only nfiles will be kept around, each one having a size approximately as big as size.

permanent link

answered 03 Aug '13, 14:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 03 Aug '13, 14:35

Note that running tshark for an extended period of time (you mention "service" in your question) is not recommended, it will run out of memory at some point. This is because tshark (and Wireshark) store data about conversations which accumulates during a run.

dumpcap doesn't do this, hence why it's recommend for long-running processes.

(04 Aug '13, 08:14) grahamb ♦

I infer from "using tshark to capture directy from the NIC card and output a CSV text of atributes to the screen. (stdout)" that dissecting packets is the reason for running TShark, so dumpcap won't suffice for his purpose.

(04 Aug '13, 11:39) Guy Harris ♦♦
  1. I must use tshark as a service for long time 24/7.

Sadly, eventually that 24/7 will have to end, as TShark, in order to dissect packets, saves various bits of state in its address space, and runs the risk of eventually running out of "memory" (address space/swap space, in reality).

it never got stuck , but i got a very large temp file

Then you weren't using the -b flags in question, because it wasn't rotating the files.

  1. I'm using the -R filter option

Then you're out of luck, as

  1. in order to use the -b options, you need to be saving to a file;
  2. the -R option currently isn't supported if you're not saving to a file.
  1. the computer is very strong with few cpu's and lots of memory

No matter how much memory you have, with enough packets, TShark can eat up all your memory and swap space (unless you're on an OS where swap space is easily expandable, in which case it'll eat up all your disk space instead). If your computer is running a 32-bit version of TShark, TShark will probably eat up all its address space before it even gets a chance to eat up all the memory and swap space.

    1. I have taken the advice of using the -b filesize/num and added an output file with -w, however they don't work with -R so i'm back in/to square one :-(

And there's currently a 1km high wall around that square, unfortunately.

is there any way to make it work?

No, because...

the key is having the -b work with -R

...and you can't currently do that.

is there a way to make dumpcap output a filtered CSV text info a file by itself

No. dumpcap was explicitly designed to be incapable of doing that. It might have to run with extra privileges in order to capture traffic, so the ability to dissect packets was explicitly left out of it to reduce the amount of code in it that could cause problems if there's a bug in it that opens a security hole.

At best, you could run dumpcap with the -b options to have it produce a sequence of capture files, but not remove them. You could then try running a script that watches for new capture files to appear and, when a new file appears, runs TShark on each of the older capture files, removing each one after it's processed. Note, however, that this means that if, in order to dissect a packet in a particular file, information from a packet in an earlier file is required, the later packet won't be able to be fully dissected, so, if the fields you're using with -e require a full dissection, you might not get the information you want. (The information in question is part of the stuff that eventually will fill up TShark's address space.)

What information are you trying to get? There might be other programs that can get that information for you.

permanent link

answered 04 Aug '13, 23:35

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Thank you for the answer. I'm capturing RADIUS traffic and i split it into CSV fields like username,disconnection reason,packets used, etc... so i need to capture ALL traffic and can't relay on files that might not hold all the info i need. also i need to make decisions based on that info in REALTIME.

but as i said i'm willing to try anything. also since the current TEMP solution I found now is to "stop" the service once during "off hours" delete the tmp file and then restart the service again, solving the memory issues you said.

The other solution would be to setup a 2nd computer that would get the info and save only, so when I stop the main service I can read the missing info from the 2nd server. but this idea is only on paper now.

also about reading from a dumpcap rotated file, I need to figure out how to make the tshark read the files one after the other this makes it more complicated and i really need the realtime speed.

any help in making it work would be forever thanked :-)

(05 Aug '13, 01:34) liorh007

I'm capturing RADIUS traffic and i split it into CSV fields like username,disconnection reason,packets used, etc.

In that case, I recommend a radius sniffer, like one of these.

http://sourceforge.net/projects/raddump/
http://www.manpagez.com/man/8/radsniff/

Combined with some scripting, you should be able to achieve your goal.

Regards
Kurt

permanent link

answered 09 Aug '13, 14:54

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×91
×10

question asked: 03 Aug '13, 04:21

question was seen: 7,846 times

last updated: 09 Aug '13, 15:15

p​o​w​e​r​e​d by O​S​Q​A