This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark: Cannot run Dissector() while using option “-w”

0

Hi all, i'm using tshark command and trying some scenarios but something seems to be strange. I modified the Dissectors() function. here is my concern:

  1. **tshark -i 5**

And the program went through my code in Dissectors() but it wrote a large tmp file. So, what happens if I remove the tmp file? I tried but nothing happened, the program still print out anything without tmp file. So, how does the program have data to dissect because previously, i ever though dumpcap write data to tmp file then Dissectors() read data from tmp file to dissect but now after removing this file, Dissectors() was still working. if so, why we need a large tmp file while after removing, nothing change? Please correct me if i said something wrong.

  1. **tshark -i 5 -w /tmp/sonnh.pcap**

When I use option "-w" , nothing went through my code in Dissectors(), so I think if I use "-w", the program only call dumpcap without (or skip) calling Dissectors(), is it right? Other evidence which made me think it could be right is that there is no any value or data print out when I use "-w". Also, we cannot use filter together with "-w", simply because of no Dissector()called if we are using "-w". am I right?

  1. I want to run my code in Dissectors() by using tshark but don't want to keep a larger tmp file. So, anything wrong if I try to insert code into Dissector to remove a tmp file? (because i cannot run my code when I use option "-w" to solve the problem of large tmp file) Thanks so much.

asked 06 Oct '13, 21:54

hoangsonk49's gravatar image

hoangsonk49
81282933
accept rate: 28%

One Answer:

1

If you run with -w and without -P, tshark writes the raw packet data to the file specified with -w and does not dissect packets.

If you want the raw packet data to be written to a file and have the packets dissected, use the -P flag and, if you want the a detailed dissection, the -V flag in addition to the -P flag.

If you only want the packets to be dissected, and don't want the raw packet data to be written to a file, don't use the -w flag.

(This is similar to tcpdump, which dissects packets if you don't give it the -w flag, and writes them to a file without dissecting them if you give it the -w flag.)

Currently, tshark writes captured packets to a temporary file in all cases, even if you don't specify -w. Bug 2343 requests that it not do so, but that bug isn't fixed yet, so you currently cannot run tshark, have it capture packet data, and not write a temporary file.

answered 06 Oct '13, 23:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Harris, I understand that we always have a temp file, but I just want to delete it due to disk space because my program run in real and it is non-stop. With the option -P and -W, now i can go through the Dissectors and also able to auto delete the temp file. Thanks for your comment. But i just wonder why tshark needs a temp file? I tried to remove temp file and see nothing happened with tshark.

(07 Oct '13, 00:15) hoangsonk49
1

But i just wonder why tshark needs a temp file?

Because there needs to be some way for dumpcap to supply it with packets, and because the protocol between dumpcap and tshark would need to be different if it were supplying it with packets over a pipe rather than in a file, and we haven't gotten around to making that work yet.

I tried to remove temp file and see nothing happened with tshark.

If this is on UN*X (Linux, OS X, *BSD, Solaris, etc.), then removing a file that some process has open just removes its name from a directory; the file doesn't disappear until the last file that has it open closes it, and both dumpcap and tcpdump have it open. It still takes up space while it's still around.

(07 Oct '13, 00:56) Guy Harris ♦♦