This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to run tshark without creating /tmp/wireshark_* file?

0

Hi! I'm using tshark for capturing probe requests for some statistic calculates on raspberry pi. Device has so small memory card and after ~20hours tshark overflow the memory.

I found only way to restart tshark every 1 hour for example.

I no need to create tmp file. I start the tshark by 'spawn' method using NodeJS and capturing stdout of it in nodejs process for sending to backend.

here is the command which runs tshark with needed filters and fields:

 tshark -l -i wlan1 -Y 'wlan.fc.type_subtype eq 4' -T fields -e wlan.sa -e wlan.sa_resolved -e radiotap.dbm_antsignal -e frame.time -e wlan_mgt.ssid

When tshark runs it will create the file in /tmp/wireshark_pcapng_wlan1_* .

How I can run it without creating this temp file? tshark version - 1.12.1.

Thanks!

asked 02 Apr '16, 08:09

freedev's gravatar image

freedev
6113
accept rate: 100%


2 Answers:

0

The problem was solved! Here is the solution.

Firstly we cannot control output file using display filters. I need to capture probe requests only. I read that I can use for it pcap-filter and then I can control of output file and him size.

http://www.tcpdump.org/manpages/pcap-filter.7.html here I read about pcap-filter and syntax of it and change my tshark launch command to this:

tshark -l -i wlx000f6008facf -f 'type mgt subtype probe-req' -T fields -e wlan.sa -e wlan.sa_resolved -e radiotap.dbm_antsignal -e frame.time -e wlan_mgt.ssid -b filesize:2 -w /tmp/probe-req.tmp

And file cannot has more than 2 kb size.

answered 02 Apr '16, 15:56

freedev's gravatar image

freedev
6113
accept rate: 100%

That still creates a temporary file, it just happens to be called /tmp/probe-req.tmp and is limited in size. That's bug 2743.

(02 Apr '16, 16:40) Guy Harris ♦♦

0

Please read this article https://blog.packet-foo.com/2014/07/wireshark-file-storage/
Maybe you could try setting the temp path temporarily to /dev/null

answered 02 Apr '16, 08:34

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

Oh yea.. very nice case. Will check this possibility. Thanks for response

(02 Apr '16, 08:50) freedev