Wireshark-users: Re: [Wireshark-users] Run TShark + USBPcap forever on Windows

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Sat, 4 Feb 2017 21:20:30 +0000


On 4 February 2017 at 02:44, Matthew Dierker <matthew.dierker@xxxxxxxxx> wrote:
Hi! I'm using TShark to pipe USB packets on Windows from USBPcap to a Python program. TShark is run using Python's subprocess library. I'm having TShark echo the results to a subprocess.PIPE object as json, and I'm reading that in from the Python code. As far as I know, no packets are ever written to a file.

It's all working fine, but TShark eventually decides it's time to exit, notated by "XXX packets captured" printed to stderr. My goal is to have this run indefinitely in the background, and a silent restart isn't a great option because of the UAC dialog that pops up each time. Any idea why TShark decides to exit if it isn't hitting a file limit?

Sample Params: tshark.exe -i [usb interface] -x -T json -l -Y [display filter]

Thanks!


Possibly out of memory, although I'm a little surprised that you get the summary output if that's the case. 

Neither tshark or Wireshark in general are designed for continuous capture as they retain state and will eventually run out of memory.  I don't know if USB traffic does have state to retain, but some empirical testing should confirm that by inspecting memory usage.

Also, why is there a UAC prompt, no items in the Wireshark suite should require (or be run with, as this is a security risk) administrator privileges?


--
Graham Bloice