Tshark output single line json

edit

If by

Doing a ^c stops capture but doesn't write a complete last packet captured.

you mean, for example, that if you do

tshark -i <interface> -T ek -l | {program that reads the Elasticsearch output}

and interrupt TShark with ^C, there's no final "]", that's a bug - and, in fact, I just tried

tshark -i en0 -T ek -l | cat >/tmp/testfile

and ^C'ed it, and /tmp/testfile did, in fact, have no final "]" - that's a bug, and it should be reported on the Wireshark Bugzilla.

tshark catches ^c and exits clean.
I think it is the second command after the pipe that exits abruptly.
If I kill dumpcap then everything exits clean and writes the "]".
So either define tshark capture end condition or open another shell, look for dumpcap and kill it.

root@kali:~# tshark -Tjson > ctrl_c.out
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
14 ^C
root@kali:~# tail -2 ./ctrl_c.out
  }
]

root@kali:~# tshark -Tjson | tr -d '\n' > ctrl_c.out
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
8 ^Ctshark: An error occurred while printing packets: Broken pipe.

root@kali:~#

Thanks for your answer. Unfortunately thats not what I am searching for. I want to analyze live traffic for an undefined amount of time, so a capture is a long running task. My question was simply if there is some way to force tshark to output one line for each packet received as json. Just like -T ek does but better formatted and named. Thanks

Ok. Perhaps someone else can get sed to act on the stream.
The output from tr -d '\n' is one continuous stream without packet breaks.
Need something like fold but doing it on a string not number of characters.

This will work unless the input data has a \r in it.

    tshark -Tjson  | sed -e "s/^  },$/ },\r/g" | tr -d '\n' | tr -s '\r' '\n'