Force Tshark to ignore Empty pcaps after filtering ?–

Question

Hello how to make Tshark ignore writing an empty file if the filter in -R doesn't return any result ?

Accepted Answer

1

Hello how to make Tshark ignore writing an empty file

by changing the code.

What are you trying to do? Maybe there is another solution?

Regards
Kurt

answered 30 Sep '13, 02:07

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

i made a bash script that reads like 10000 pcap and cut the data from each 100MB file pcap and put in another file in the same pcap name some pcaps may contain the data some doesn't so i want only pcaps that contains the data to be written and if not it doesn't write anything not an empty pcap with the file name

(30 Sep '13, 02:11) Ziad Kiwan

1

As I said, that behavior can be changed by changing the tshark source code.

In your case, it's easy to remove the empty files in the bash script.

Run these commands after you ran tshark. Replace file.pcap with the name tshark wrote.

capinfos file.pcap 2>&1 | egrep -i 'Number of packets:\s+0' > /dev/null
if [ $? -eq 0 ] 
then
   echo removing file.pcap
   rm -f file.pcap
fi

capinfos looks for the number of packets in the file. If there are 0 packets, egrep will retun 0 as exit code. In that case you can delete the file.

(30 Sep '13, 02:33) Kurt Knochner ♦

Wow that's something new to learn thank you man! real appreciated!

(30 Sep '13, 02:56) Ziad Kiwan

Good.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(30 Sep '13, 03:11) Kurt Knochner ♦

i couldn't find it before now i did thank you

(30 Sep '13, 04:26) Ziad Kiwan