Hello I have looked in the forum but i wasn't able to find the right question here nor answer i'm looking for. I'm using windows 2008 server and using tshark to capture directy from the NIC card and output a CSV text of atributes to the screen. (stdout) But I got a number of times when tshark stopped working. after checking i have found out that it writes a TMP file into C:\Users\%Username%\AppData\Local\Temp It has grown too big and i must stop the process to delete it and then start the process again. I have checked but i wasn't able to find a way to disable the tmp file. I tried the -w - or the -b but none has any effect. Can someone please point me to the correct way to stop the temp file. or the a correct way to deal with this issue without stopping the service? like rotate the tmp file or limiting at a fixed size etc.. thank you Lior asked 03 Aug '13, 04:21  liorh007 edited 03 Aug '13, 04:23 |
4 Answers:
Try using dumpcap it works really well and can create multiple files for you, you can provide the time or volume after which a new file should be created as well as you can provide the max number of files that should be rotated eg: dumpcap -i any -b filesize:153600 -b files:2000 -Z none -f port 2123 -w c:\Traces\tracesaug.snoop answered 03 Aug '13, 10:18  RAVI_TANDON edited 03 Aug '13, 10:19 Hi thank you for the answer , however as i checked dumpcap does not support filters, which is what i'm doing with tshark to output the CSV atributes . so i must use tshark. is there a way to combine the dumpcap file features with tshark? i can live with rotating files, (ie delete them as needed) thank you Lior (03 Aug '13, 14:00) liorh007
Yes. See my answer. (03 Aug '13, 14:35) Guy Harris ♦♦ @liorh007, dumpcap supports capture filters, what is the filter expression you're using. (04 Aug '13, 08:15) grahamb ♦ "filter" is a word that's sometimes used to refer to actual filters, i.e. packet-matching expressions used to choose which packets to capture/save/show and which ones not to capture/save/show, and other times used to refer to named fields (whenever I catch "filter" used in a bug title to mean "named field", I fix it). If he means "named fields", which I'm guessing he does from "dumpcap does not support filters, which is what i'm doing with tshark to output the CSV atributes", then dumpcap won't do the job. (04 Aug '13, 11:43) Guy Harris ♦♦ |
Unfortunately, TShark currently doesn't support any mechanism other than temporary files to pass packets from dumpcap to it; that's bug 2743. That bug would require some work to fix. You could, however, use flags such as answered 03 Aug '13, 14:25  Guy Harris ♦♦ edited 03 Aug '13, 14:35 Note that running tshark for an extended period of time (you mention "service" in your question) is not recommended, it will run out of memory at some point. This is because tshark (and Wireshark) store data about conversations which accumulates during a run. dumpcap doesn't do this, hence why it's recommend for long-running processes. (04 Aug '13, 08:14) grahamb ♦ I infer from "using tshark to capture directy from the NIC card and output a CSV text of atributes to the screen. (stdout)" that dissecting packets is the reason for running TShark, so dumpcap won't suffice for his purpose. (04 Aug '13, 11:39) Guy Harris ♦♦ |
Sadly, eventually that 24/7 will have to end, as TShark, in order to dissect packets, saves various bits of state in its address space, and runs the risk of eventually running out of "memory" (address space/swap space, in reality).
Then you weren't using the
Then you're out of luck, as
No matter how much memory you have, with enough packets, TShark can eat up all your memory and swap space (unless you're on an OS where swap space is easily expandable, in which case it'll eat up all your disk space instead). If your computer is running a 32-bit version of TShark, TShark will probably eat up all its address space before it even gets a chance to eat up all the memory and swap space.
And there's currently a 1km high wall around that square, unfortunately.
No, because...
...and you can't currently do that.
No. dumpcap was explicitly designed to be incapable of doing that. It might have to run with extra privileges in order to capture traffic, so the ability to dissect packets was explicitly left out of it to reduce the amount of code in it that could cause problems if there's a bug in it that opens a security hole. At best, you could run dumpcap with the What information are you trying to get? There might be other programs that can get that information for you. answered 04 Aug '13, 23:35 Guy Harris ♦♦ Hi Thank you for the answer. I'm capturing RADIUS traffic and i split it into CSV fields like username,disconnection reason,packets used, etc... so i need to capture ALL traffic and can't relay on files that might not hold all the info i need. also i need to make decisions based on that info in REALTIME. but as i said i'm willing to try anything. also since the current TEMP solution I found now is to "stop" the service once during "off hours" delete the tmp file and then restart the service again, solving the memory issues you said. The other solution would be to setup a 2nd computer that would get the info and save only, so when I stop the main service I can read the missing info from the 2nd server. but this idea is only on paper now. also about reading from a dumpcap rotated file, I need to figure out how to make the tshark read the files one after the other this makes it more complicated and i really need the realtime speed. any help in making it work would be forever thanked :-) (05 Aug '13, 01:34) liorh007 |
In that case, I recommend a radius sniffer, like one of these.
Combined with some scripting, you should be able to achieve your goal. Regards answered 09 Aug '13, 14:54  Kurt Knochner ♦ |
Hi thank you all for the answers , but here is more info. 1. I must use tshark as a service for long time 24/7. it never got stuck , but i got a very large temp file 2. I'm using the -R filter option with -T fields and -e for attributes to create a CSV text output. 3. the computer is very strong with few cpu's and lots of memory 4. Guy is right and dumpcap won't help me. 5. I have taken the advice of using the -b filesize/num and added an output file with -w, however they don't work with -R so i'm back in/to square one :-(
is there any way to make it work? the key is having the -b work with -R ;-) also i'm willing to think outside the box and maybe : is there a way to make dumpcap output a filtered CSV text info a file by itself and i would us this file as an input?
thank you