I modified a tshark version to filter the packets that I concerned, and record them in files. When tshark crashes or has no response, I want to recover the analyzing process at next tshark start up. How to record and recover the index info in minimum modifies? Any ideas? asked 16 Feb '14, 23:39  metamatrix |
One Answer:
You could record the frame number (frame.number) of the processed packets to a file. When you restart tshark (with a wrapper script) you could determine the last processed frame number from that file and start tshark with the following option.
If your version of tshark does not know -Y, please use -R instead. Regards answered 18 Feb '14, 00:05  Kurt Knochner ♦ Thank you,Kurt. I'll have a try. (18 Feb '14, 01:12) metamatrix I'm not really sure if tshark would not crash if you use that method. I guess it depends on the reason for the crash. If it still crashes at the same frame, you can try to modify the capture file (probably with editcap) and remove the frame(s) that led to the crash. There is no guarantee that this works, but at least it's a simple solution to implement with scripting. Everything else would require larger changes to tshark and the whole wireshark dissection engine to catch and process exceptions. (18 Feb '14, 01:32) Kurt Knochner ♦ Kurt,when tshark crashes or has no response, is there one ".pcapng" file or more files not analyzed in the temp directory? In other words, after tshark crashing or having no response, can dumpcap produce new ".pcapng" files? (19 Feb '14, 17:05) metamatrix |
Anyone give me some advice? Appreciated.