This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

send packetdata from tshark to wireshark

0

I want to run tshark on a Raspberry Pi after booting or for a defined period of time and save the captured packets into a file. This file should then be accessible from Wireshark on my Windows laptop. I want to do this because I want to capture packets for example when I am not at home and then can analyze the captured data when I am back home. Is that possible? How can I start capturing after booting or for a defined period of time into a file and then send it to Wireshark on my laptop?

asked 09 Feb '16, 07:58

Vin's gravatar image

Vin
6112
accept rate: 0%


2 Answers:

0

Just copy the capture file in the same way you would transfer any other file from the Pi, e.g. scp, or samba.

Note that capturing for an extended period using tshark may either:

  1. Run out of memory
  2. Run out of disk space.

The former can be fixed by using dumpcap rather than tshark, the same files are produced, but dumpcap doesn't retain any state so doesn't have an ever increasing memory usage.

The latter can only be fixed by providing the Pi with more disk space, or capturing in a "ring" of files, but note that when the ring "wraps", the earliest files are lost. See the -b option to tshark\dumpcap.

answered 09 Feb '16, 08:06

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Similarly, tcpdump can be used to dump to a file; if run with the -w flag, it'll just write raw packet data to the file without interpreting it, and thus won't maintain any memory-eating state. If you have it, but not any of Wireshark's components, installed on the RPi, you won't need to install Wireshark just to get dumpcap.

(09 Feb '16, 12:29) Guy Harris ♦♦

0

How can I start capturing after booting

That would depend on the OS you're running on your RPi - and Linux isn't "the OS", a particular Linux distribution is "the OS", and the answer may differ between distributions. (System V init? systemd? etc.)

or for a defined period of time into a file

For dumpcap:

dumpcap -a duration:{N} -w {filename}

where {N} is the number of seconds for which you want it to capture (which can be a large number, so you can, for example, capture for an entire day with {N} = 86400) and {filename} is the name of the file to which to write. -b, as Graham noted, lets you have a ring of files, so that, if you have limited "disk" space, you can have a ring of files and save only the most recent packets if you don't have enough "disk" space for all the packets.

Tcpdump, unfortunately, doesn't have a "stop capturing after {N} seconds" option.

answered 09 Feb '16, 12:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I run Raspbian on my Raspberry Pi. How can I start capturing after booting there? I read that it can be done by adding a line in /etc/rc.local but I am not sure what to put there.

(15 Feb '16, 15:24) Vin