This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark wiresharkXXXX file even with text to stdout

0

I'm using tshark (Windows version) in a script that I would like to run for an indefinite period of time. The tshark parameters are something like -i1 -s48 -x<filter>. This results in text to stdout that I process with gawk. However, a wiresharkXXXX temp file is also created. There doesn't seem to be a need for a temp file when the start parameters do not specify any file creation. It looks like the temp file will grow as long as my script runs, so eventually my HD will fill up, and the script will fail. Is there a solution?

asked 23 Sep '11, 09:37

faceoff's gravatar image

faceoff
1111
accept rate: 0%

edited 24 Sep '11, 15:24

helloworld's gravatar image

helloworld
3.1k42041

3 Answers:

0

Actually: tshark runs dumpcap as a separate process to do the actual capture and the temp file is the method by which data to transferred to tshark.

I think using the tshark -b option to control the output file(s) will work.

Something like -b duration:... -b files:...

See tshark -h or the tshark man apge.

It's possible you may also need to use -w. I haven't actually tried this so I can't guarantee that this approach will work.

answered 23 Sep '11, 12:44

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

0

Be aware of the following:

  • dumpcap is the process that does the actual capture
  • the temporary capture file is used between dumpcap and tshark
  • tshark has the -b command line option to use a circular buffer
  • tshark builds up state, increasing memory footprint over time, leading to out of memory problems

answered 23 Sep '11, 13:00

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

I think the resolution to this problem will come when someone takes the time to resolve bug 2743.

answered 23 Sep '11, 13:03

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%