This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to recover the analyzing process after crashing

0

I modified a tshark version to filter the packets that I concerned, and record them in files. When tshark crashes or has no response, I want to recover the analyzing process at next tshark start up. How to record and recover the index info in minimum modifies? Any ideas?

asked 16 Feb '14, 23:39

metamatrix's gravatar image

metamatrix
56161619
accept rate: 100%

Anyone give me some advice? Appreciated.

(17 Feb '14, 23:37) metamatrix

One Answer:

0

You could record the frame number (frame.number) of the processed packets to a file. When you restart tshark (with a wrapper script) you could determine the last processed frame number from that file and start tshark with the following option.

tshark -nr input.pcap -Y "frame.number > 1234"

If your version of tshark does not know -Y, please use -R instead.

Regards
Kurt

answered 18 Feb '14, 00:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you,Kurt. I'll have a try.

(18 Feb '14, 01:12) metamatrix

I'm not really sure if tshark would not crash if you use that method. I guess it depends on the reason for the crash.

If it still crashes at the same frame, you can try to modify the capture file (probably with editcap) and remove the frame(s) that led to the crash. There is no guarantee that this works, but at least it's a simple solution to implement with scripting.

Everything else would require larger changes to tshark and the whole wireshark dissection engine to catch and process exceptions.

(18 Feb '14, 01:32) Kurt Knochner ♦

Kurt,when tshark crashes or has no response, is there one ".pcapng" file or more files not analyzed in the temp directory? In other words, after tshark crashing or having no response, can dumpcap produce new ".pcapng" files?

(19 Feb '14, 17:05) metamatrix