I built a WLAN sniffer on a Raspberry Pi using python scripts and tshark. Tshark saves the captures in a ring buffer containing 10 files with a length of i.e. one minute per file (I cannot change that, because of the limited memory on the Pi) and it runs in a seperate thread, which works just fine.
My problem is that I need to save all management frames (the ones outside the ring buffer window, too) to decrypt the other packets. I had the idea to analyze a .pcap file when tshark is done writing to it. Is there any way to get the information from tshark, when it moved on to the next file, and then trigger a function to analyse a file, filter out everything that's not management related and save it to a seperate file? All this would then be done in yet another thread, so the GUI does not freeze and tshark does not pause/stop capturing.
Or is it possible to filter different packet types and write them into two files directly while capturing wihtout losing any of them?
asked 25 May '16, 04:51
Found a solution (but instead of parsing the stdout I used a timer). Could you tell me how I can parse the stdout from dumpcap? I googled a few hours but did not find a proper way to do it. To me, the timer seems very inelegeant.
This part calls the timer and dumpcap and stops it. Dumpcap is stopped by a SIGTERM command.
answered 02 Jun ‘16, 04:50
Note that you should be using dumpcap to do the capturing, tshark retains state and will consume memory and eventually crash. dumpcap takes the same parameters as tshark for interface specification and ring buffers but can't use tshark display filters, only capture filters.
If you are discarding a capture after 10 minutes it would seem that you don't need most of the content, only the "management frames", is this correct? If so, why don't you set a filter so that you only capture the management frames, rather than attempt to post-process them out of the captures?
answered 25 May '16, 06:11
Is there a reason why you couldn't run two instances of dumpcap, one capturing only management frames and not using a ring buffer, and one capturing the other frames into a ring buffer?
answered 02 Jun '16, 11:34
Guy Harris ♦♦