I have looked in the forum but i wasn't able to find the right question here nor answer i'm looking for. I'm using windows 2008 server and using tshark to capture directy from the NIC card and output a CSV text of atributes to the screen. (stdout)
But I got a number of times when tshark stopped working. after checking i have found out that it writes a TMP file into C:\Users\%Username%\AppData\Local\Temp
It has grown too big and i must stop the process to delete it and then start the process again. I have checked but i wasn't able to find a way to disable the tmp file. I tried the -w - or the -b but none has any effect.
Can someone please point me to the correct way to stop the temp file. or the a correct way to deal with this issue without stopping the service? like rotate the tmp file or limiting at a fixed size etc..
thank you Lior
asked 03 Aug '13, 04:21
edited 03 Aug '13, 04:23
Try using dumpcap it works really well and can create multiple files for you, you can provide the time or volume after which a new file should be created as well as you can provide the max number of files that should be rotated
eg: dumpcap -i any -b filesize:153600 -b files:2000 -Z none -f port 2123 -w c:\Traces\tracesaug.snoop
answered 03 Aug '13, 10:18
edited 03 Aug '13, 10:19
Unfortunately, TShark currently doesn't support any mechanism other than temporary files to pass packets from dumpcap to it; that's bug 2743. That bug would require some work to fix.
You could, however, use flags such as
answered 03 Aug '13, 14:25
Guy Harris ♦♦
edited 03 Aug '13, 14:35
Sadly, eventually that 24/7 will have to end, as TShark, in order to dissect packets, saves various bits of state in its address space, and runs the risk of eventually running out of "memory" (address space/swap space, in reality).
Then you weren't using the
Then you're out of luck, as
No matter how much memory you have, with enough packets, TShark can eat up all your memory and swap space (unless you're on an OS where swap space is easily expandable, in which case it'll eat up all your disk space instead). If your computer is running a 32-bit version of TShark, TShark will probably eat up all its address space before it even gets a chance to eat up all the memory and swap space.
And there's currently a 1km high wall around that square, unfortunately.
...and you can't currently do that.
No. dumpcap was explicitly designed to be incapable of doing that. It might have to run with extra privileges in order to capture traffic, so the ability to dissect packets was explicitly left out of it to reduce the amount of code in it that could cause problems if there's a bug in it that opens a security hole.
At best, you could run dumpcap with the
What information are you trying to get? There might be other programs that can get that information for you.
answered 04 Aug '13, 23:35
Guy Harris ♦♦
In that case, I recommend a radius sniffer, like one of these.
Combined with some scripting, you should be able to achieve your goal.
answered 09 Aug '13, 14:54
Kurt Knochner ♦