How to write a dump file without package bytes (only lines of text-package list), and that at the same time it was possible to read this file in real time?

answered 2019-11-08 11:24:27 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

updated 2019-11-08 13:38:57 +0000

On Windows you can use tshark (part of the Wireshark suite) to do mostly the same thing.

Some caveats;

Windows doesn't support the -i any option to select all interfaces, instead you'll have to explicitly add the interfaces required with multiple -i entries. Use tshark -D to list the interfaces.
The -I option may or may not put WiFi interfaces into monitor mode. This is an issue with Windows WiFI NIC drivers. You may have to omit this option.
The -t option of tcpdump to suppress the timestamp isn't supported directly by tshark, so should be omitted.
The -q option of tcpdump to reduce the output isn't directly supported so should be omitted.

This gives a command line similar to:

path\to\tshark.exe -i x -i y -s 0 > C:\temp\log

where x and y are the interfaces you wish to capture on.

You may also use -T fields -e xxx -e yyy ... to limit the output to fields as specified by multiple -e options.

See the tshark man page for more info.

edit flag offensive delete link

Comments

Thanks! Bat how to disable the buffer? The file is written in blocks, not immediately. And I need each new line to be added at once. The buffer can accumulate for a long time, if you limit the rules of traffic capture.

Hifexar ( 2019-11-08 12:16:13 +0000 )edit

From the aforementioned man page:

-l
Flush the standard output after the information for each packet is printed. (This is not, strictly speaking, line-buffered if -V was specified; however, it is the same as line-buffered if -V wasn't specified, as only one line is printed for each packet, and, as -l is normally used when piping a live capture to a program or script, so that output for a packet shows up as soon as the packet is seen and dissected, it should work just as well as true line-buffering. We do this as a workaround for a deficiency in the Microsoft Visual C++ C library.)
This may be useful when piping the output of TShark to another program, as it means that the program to which the output is piped will see the dissected data for a packet as soon as TShark sees the packet and generates that ...

(more)

grahamb ( 2019-11-08 13:14:29 +0000 )edit

-I dont work.

$ ./tshark.exe -i 4 -s 0 -B 1 -I -T fields -e frame.number -e ip.addr -e udp -e _ws.col.Info > /cygdrive/c/Users/Hifexar/Desktop/tshark
Capturing on 'Подключение по локальной сети'
tshark: The capture session could not be initiated on interface '\Device\NPF_{2692855C-A25F-428C-BB4C-C6B124481B73}' (Generic error).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
0 packets captured

Hifexar@xxxx /cygdrive/c/Program Files/Wireshark
$

Without -I works, but with a buffer.

Hifexar ( 2019-11-08 13:27:12 +0000 )edit

O, thanks! "lower case l" -l works.

Hifexar ( 2019-11-08 13:30:02 +0000 )edit

"On Windows you can use tcpdump" - should this be tshark?

Chuckc ( 2019-11-08 13:34:21 +0000 )edit

see more comments

How to write a dump file without package bytes (only lines of text-package list), and that at the same time it was possible to read this file in real time?

1 Answer

Comments

Your Answer

Question Tools

Stats

How to write a dump file without package bytes (only lines of text-package list), and that at the same time it was possible to read this file in real time? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

How to write a dump file without package bytes (only lines of text-package list), and that at the same time it was possible to read this file in real time?