Wireshark-users: Re: [Wireshark-users] newbie question, tshark input from stdin

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Lancashire, Pete" <Pete.Lancashire@xxxxxxxxxxxxxxxxxx>
Date: Mon, 3 Feb 2014 14:04:08 -0800
Ended up being /tmp was filling up from temporary wireshark files ...

I will do a new build vs using the one from the distribution

-pete


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Evan Huus
Sent: Monday, February 03, 2014 1:44 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie question, tshark input from stdin

Hi Pete,

The -i flag is for specifying a network interface for live capture (eg
eth0) and so doesn't accept "-" to signify stdin. I'm actually a bit surprised you're getting any data at all with that command. I would expect the following to give more useful results:
$ cat pcapfile | tshark -r -
though tshark's ability to read from a pipe has been rather inconsistent up until recently due to the way filetypes are detected.

(Tangential note: tshark 1.4.x is quite old and no longer officially supported. Upgrading is a good idea, if you are able.)

Evan

On Mon, Feb 3, 2014 at 4:16 PM, Lancashire, Pete <Pete.Lancashire@xxxxxxxxxxxxxxxxxx> wrote:
> A bit confused with  tshark -i -
>
> I have a pcap file with 1,177,880 records
>
> $ capinfos pcapfile
> File name:           pcapfile
> File type:           Wireshark/tcpdump/... - libpcap
> File encapsulation:  Ethernet
> Packet size limit:   file hdr: 65535 bytes
> Number of packets:   1177880
> File size:           772514406 bytes
> Data size:           753668302 bytes
> Capture duration:    4800 seconds
> Start time:          Fri Jan 31 13:50:00 2014
> End time:            Fri Jan 31 15:10:00 2014
> Data byte rate:      156999.79 bytes/sec
> Data bit rate:       1255998.34 bits/sec
> Average packet size: 639.85 bytes
> Average packet rate: 245.37 packets/sec
> SHA1:                1ad68104a5ea50c2392340a9e5b6f2767e6dd34f
> RIPEMD160:           519962c5e8cf8f742ebceb4d06380741fcca537b
> MD5:                 9594d754ae507f5cbe7cb6ac43cd361a
> Strict time order:   False
>
> tshark is
>
> $ tshark -v
> TShark 1.4.10
>
> Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
> This is free software; see the source for copying conditions. There is 
> NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz, 
> without POSIX capabilities, without libpcre, with SMI 0.4.8, without 
> c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6, 
> with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP.
>
> Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1.
>
> Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).
>
> doing
> $ tshark -r pcapfile  2>/dev/null | wc -l
> 1177880
>
> Is what I expected
>
> but
> cat pcapfile | tshark -i -
>
> 6.027531 192.168.240.107 -> 192.168.2....
> 499 packets captured
>
> and confirming
>
> cat pcapfile | tshark -i -  2>/dev/null | wc -l
> 499
>
> What am I doing wrong ?
>
> Thanks
>
> -pete
>
>
>
>
> stops after 499 packets
>
> tshark -r pcapfile | wc -l
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe