Wireshark-users: [Wireshark-users] Using multiple files with tshark

From: "McGlinchy, Alistair" <Alistair.McGlinchy@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Feb 2007 17:11:48 -0000
Title: Using multiple files with tshark

Hello,

I have been trying to get the tshark to save files ever 60 seconds but I get a unexpected error both in Linux and Windows.

    D:\>tshark -b duration:60 -w test.cap -f http
    tshark: Multiple capture files requested, but no maximum capture file size was specified.

    D:\>tshark -v
    TShark 0.99.4 (SVN Rev 19757)

    Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

    Compiled with GLib 2.6.6, with WinPcap (version unknown), with libz 1.2.3, with
    libpcre 6.4, with Net-SNMP 5.3.1, with ADNS, with Lua 5.1, with GnuTLS 1.5.1,
    with Gcrypt 1.2.3, with MIT Kerberos.

    Running on Windows XP Service Pack 2, build 2600, with WinPcap version 3.1
    (packet.dll version 3, 1, 0, 27), based on libpcap version 0.9[.x].

    Built using Microsoft Visual C++ 6.0 build 8804

Reviewing the archives I see that someone else had the same problem, but this was not fixed in 0.94 or 0.95 as the response suggests

        http://www.wireshark.org/lists/wireshark-users/200701/msg01139.html

I've had a quick look at the code and I can see the specific problem.  At line 1288 of tshark.c  there seems that the command validation only allows the filesize method of autostopping.

          if (!capture_opts.has_autostop_filesize) {
            cmdarg_err("Multiple capture files requested, but "
              "no maximum capture file size was specified.");
            exit(1);
          }

I have naively tweaked this to try to allow for a duration instead but it makes no difference.

          if (!capture_opts.has_autostop_filesize &&
              !capture_opts.has_autostop_duration ) {
            cmdarg_err("Multiple capture files requested, but "
              "no maximum capture file size was specified.");
            exit(1);
          }

From scanning the code it appears the functionality is all there, its just that the argument parsing is not working. Does anybody with more c-foo than me know how to fix this?

Cheers

Alistair


**********************************************************************

Registered Office:

Marks and Spencer plc

Waterside House

35 North Wharf Road

London

W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422

Facsimile (020) 7487 2670

<<www.marksandspencer.com>>

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.

2005