Wireshark-users: Re: [Wireshark-users] How can I run tshark for days at a time without running ou

From: "Fender, Brian" <FenderB@xxxxxxxxxxxxxxx>
Date: Fri, 25 Jul 2008 12:00:15 -0400
Why not just use capture the raw data with tcpdump with -W and -C
options to limit file size, then replay in tshark at whatever verbosity
you desire?

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jeff Morriss
Sent: Friday, July 25, 2008 10:07 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How can I run tshark for days at a time
without running out of disk space?


This should allow you to capture to a ring buffer while also
decoding/displaying the messages:

tshark -b filesize:10000 -b files:5 -w /tmp/foo -nVS

(The "-S" is important otherwise tshark will assume that because you're
writing to a file you don't really want the "-V".)

You do need to be careful that your tshark is able to decode (and write
to its stdout--which means your script's speed matters too) faster than
the data is coming out, see:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1650

Marc MERLIN wrote:
> On Thu, Jul 24, 2008 at 11:05:59PM +0400, Abhik Sarkar wrote:
>> On Thu, Jul 24, 2008 at 9:10 PM, Marc MERLIN <marc_ws@xxxxxxxxxxx>
wrote:
>>> Can I either:
>>> 1) skip dumpcap and not have an ever growing file?
>> From what I understand, dumpcap was introduced to meet this
objective:
>> http://wiki.wireshark.org/Development/PrivilegeSeparation. tshark 
>> spawns dumpcap, and capture is not possible without this.
> 
> Right. It's a good idea for most, but quite undesirable for me. It'd 
> be nice if that could be turned off since it prevents running tshark 
> in live capture mode for a long time.
> 
>>> 2) tell tshark to quit when the dumpcap file is 10G and I'll restart
it in
>>>   a loop after /bin/rm /tmp/etherXXX*
>>>
>> You should not have to clean-up these files manually if the processes

>> were terminated cleanly. There has been some discussion on this 
>> recently, as you might have seen:
>> http://www.wireshark.org/lists/wireshark-users/200807/msg00127.html.
>> If you are also facing this issue, it probably needs to be looked 
>> into more carefully.
> 
> Honestly, the loss of work from having a 2 day process capture die is 
> high for me and since I've seen tshark die on out of disk space and 
> the ether file left around in /tmp, I'm just going to delete them all
on restart.
> 
>> Here are a few suggestions:
>> - you could use the -c option and restart in a loop, but you risk 
>> losing packets between the restarts
> 
> Looks like the winning proposition for me right now.
> I'll just set -c 1000000
> 
>> - I don't know for sure if it is possible, but you could try the 
>> reverse of what is mentioned in 
>> http://wiki.wireshark.org/CaptureSetup/Pipes
> 
> I doubt that will work, if have no control over the tempfile 
> dumpcap/tshark create and share, and if I have tshark output to a 
> file, it turns off protocol decoding.
> 
>> - Haven't ever tried this, but maybe it is possible to use a ring 
>> buffer with a named pipe as an output file.
>> (I am not quite sure if the last two options would prevent the 
>> dumpcap file from growing though...)
> 
> Ouch :)
> 
> I think I'll use this for now:
> (while :
> do      
>         /bin/rm /tmp/etherXXXX*
>         # tshark uses a tempfile to dump and analyse from, which means
we
>         # can't have it grow forever, so we restart tshark every 1
million
>         # packets and delete the old file left behind if it died with
an error.
>         tshark -c 1000000 -n -V -l -i eth1 port nfs and host
172.28.80.41
>         echo "tshark finished with $?, restarting" >&2
> done) | ~/analyse_nfs > out$$ 2>err$$
> 
> Thanks,
> Marc
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users