This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Running Wireshark continuously

1
  1. For my project I want Wireshark to directly start saving packets as I start it. I need packets in plain text file format ( 2. is there automatic exporting possible by doing any setting in wireshark ? ) How above two can be done .....

asked 16 Feb '14, 01:27

WIDS's gravatar image

WIDS
257713
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
2

You can't do that with Wireshark. That's what tshark is made for.

tshark -Vxnr input.pcap

or

tshark -nr input.pcap -T pdml

or even

tshark -nr input.pcap -T fields -e frame.number -e radiotap.channel -e radiotap.radiotap.db_antsignal -e wlan.sa -e wlan.da -e ip.src -e ip.dst -E separator=; -E header=y

List of fields:

http://www.wireshark.org/docs/dfref/r/radiotap.html
http://www.wireshark.org/docs/dfref/w/wlan.html
http://www.wireshark.org/docs/dfref/

Then parse the output of tshark with whatever language you prefer (in your case probably Java).

HINT: If you run tshark/Wireshark continuously, you will eventually get into trouble, as both tools are not designed as long term, real time monitoring tools. For both the memory usage will increase steadily, as both store state information about several things (sessions, etc.), and never release that memory, until the process ends.

http://wiki.wireshark.org/KnownBugs/OutOfMemory

See also some lengthy discussion on this site, regarding tshark as a long term, real time monitoring solution and the problems that can arise.

http://ask.wireshark.org/questions/25794/tshark-generate-core-dump
http://ask.wireshark.org/questions/26563/smaller-tshark-for-specific-protocol
http://ask.wireshark.org/questions/28224/tshark-crashed-without-any-reason-in-output-log

Regards
Kurt

permanent link

answered 16 Feb '14, 02:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Feb '14, 03:12

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×1,620
×76
×42
×6

question asked: 16 Feb '14, 01:27

question was seen: 2,778 times

last updated: 16 Feb '14, 03:12

Related questions

"Export specified packets" in tshark.

How to change a proto_item value at dissector?

The Folder contents could not be displayed

Automatically exporting csv info

How to export a global data structure defined in epan/dissectors/packet-radius to make it accessible in ui/gtk?

Wireshark opening vs exporting performance

How to enable the tshark name resolution while exporting to csv from an already captured pcapng file

Is it possible to exporting/share profiles?

Save the SMB object list?

Exporting packets with Wireshark version 1.10.0

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A