This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark from command line

0
1

I'd like to programatically call wireshark to capture 100 packets, parse source mac address of each packet and close. How can I do this?

This is what I have so far, but it's not working:

wireshark -c 100 -k -Q -w -

This is supposed to stop capturing after 100 packets, start capturing immediately, shut down wireshark after done, and print the output to stdout, which is the command prompt. Any help? http://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

asked 22 Aug '11, 02:43

tonio09's gravatar image

tonio09
6234
accept rate: 0%

edited 22 Aug '11, 17:43

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

The documentation you quote says that "-w -" sets the "savefile" to -, i.e. to the standard output". That's "savefile" in the tcpdump sense, i.e. it's a raw pcap or pcap-ng capture file, not some nice human-readable printed output.

You don't want Wireshark for this, you want TShark (which, unlike Wireshark, is intended to write dissected packets to the standard output), as the answers say.

(22 Aug '11, 17:26) Guy Harris ♦♦

2 Answers:

3

You can also use TShark. This command line tool is shipped together with Wireshark.

Start with tshark -D to get an overview of the available interfaces.

Capture 100 packets:
tshark -i <interface> -c 100 -w 100packets.pcap

Multiple files and switch to a new file every n seconds or every n kilobytes (there is no option to switch to a new file every 100 packets).
Switch to a new file every 100 kilobytes:
$ tshark -i 3 -b filesize:100 -w mf1.pcap

Switch to new file every 60 seconds:
$ tshark -i 3 -b duration:60 -w mf2.pcap

Switch to a new file every 100 kilobytes and stop capturing after 20 files:
$ tshark -i 3 -b filesize:100 -a files:20 -w mf3.pcap

answered 22 Aug '11, 03:58

joke's gravatar image

joke
1.3k4934
accept rate: 9%

2

Actually, you should use tshark for this. Like so:

tshark -i <interface> -c 100 -T fields -e eth.src

which spits out the mac source list on standard out.

answered 22 Aug '11, 06:01

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

But specifying the "wireshark -c 100 -k -Q -w -" command shouldn't cause Wireshark to crash, right? When I tried it with SVN 38675 on Windows XP SP3, that's exactly what happened. Does Wireshark really support "-w -" on Windows? If so, then I guess there's a functional bug here; if not, then I guess there's a documentation bug.

(22 Aug '11, 16:30) cmaynard ♦♦

If it truly crashes, that's a functional bug.

I tried it with SVN 38652 on OS X, and it popped up a complaint that "-" isn't a regular file (even though I'd redirected the standard output to a file), but spewed out a ton of "poll(2) failed due to: Bad file descriptor" complaints.

"-w -" should only work if the standard output is redirected to a file; it should fail otherwise. The person who asked the question apparently thought it'd write parsed output to the standard output; it will, of course, do no such thing.

(22 Aug '11, 17:24) Guy Harris ♦♦

True. It's definitely a functional bug. I guess my question is whether there's also a documentation bug, but it wouldn't appear so. Anyway, I opened bug 6256 for the crash.

(22 Aug '11, 17:58) cmaynard ♦♦

We've fixed the crash.

However, it's not clear that -Q is a useful option, as per all the notes above that TShark is the right program to use here and that Wireshark won't do what you want. Unless somebody can come up with a case where -Q is useful - i.e., where it's useful to have the GUI running while the capture is in progress, but not when the capture stops - we're probably going to eliminate it.

(23 Aug '11, 20:02) Guy Harris ♦♦