This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Running Wireshark continuously

1
  1. For my project I want Wireshark to directly start saving packets as I start it. I need packets in plain text file format ( 2. is there automatic exporting possible by doing any setting in wireshark ? ) How above two can be done .....

asked 16 Feb '14, 01:27

WIDS's gravatar image

WIDS
257713
accept rate: 0%


One Answer:

2

You can't do that with Wireshark. That's what tshark is made for.

tshark -Vxnr input.pcap

or

tshark -nr input.pcap -T pdml

or even

tshark -nr input.pcap -T fields -e frame.number -e radiotap.channel -e radiotap.radiotap.db_antsignal -e wlan.sa -e wlan.da -e ip.src -e ip.dst -E separator=; -E header=y

List of fields:

http://www.wireshark.org/docs/dfref/r/radiotap.html
http://www.wireshark.org/docs/dfref/w/wlan.html
http://www.wireshark.org/docs/dfref/

Then parse the output of tshark with whatever language you prefer (in your case probably Java).

HINT: If you run tshark/Wireshark continuously, you will eventually get into trouble, as both tools are not designed as long term, real time monitoring tools. For both the memory usage will increase steadily, as both store state information about several things (sessions, etc.), and never release that memory, until the process ends.

http://wiki.wireshark.org/KnownBugs/OutOfMemory

See also some lengthy discussion on this site, regarding tshark as a long term, real time monitoring solution and the problems that can arise.

http://ask.wireshark.org/questions/25794/tshark-generate-core-dump
http://ask.wireshark.org/questions/26563/smaller-tshark-for-specific-protocol
http://ask.wireshark.org/questions/28224/tshark-crashed-without-any-reason-in-output-log

Regards
Kurt

answered 16 Feb '14, 02:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Feb '14, 03:12