Ask Your Question

Limiting tsharks /tmp file

asked 2020-04-27 08:27:34 +0000

acid2000 gravatar image

I have a long running tshark session. I don't create a local file but instead process the results of StdOut.

Recently I've found that tshark is creating a file in /tmp named wireshark_INTERFACE_TIMESTAMP_RANDOMID.pcapng. Because I am taking a long running pcap this file grows quickly to the point the machine runs out of disk space.

Does anymore know of a way to:

  • Limit the size of this file?
  • Stop it being created?
  • Rotate it after X?

The man page does define a 'ring buffer' mode however i'm not actually producing any capture file. I want these setting for the tmp file, ideally stopping it all together.

I don't really want to kill the process, remove the file and restart capture as I will lose data.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-04-27 13:53:27 +0000

Chuckc gravatar image

updated 2020-04-27 13:55:14 +0000

tshark calls dumpcap to do the capture.

You might try having dumpcap write (-w -) to stdout then pipe that into tshark reading (-r -) from stdin.

(Background on the tempfile name here )

edit flag offensive delete link more


thanks, this looks like it will work

acid2000 gravatar imageacid2000 ( 2020-04-27 15:43:40 +0000 )edit

Ideally, if tshark isn't passed a -w flag, tshark should run dumpcap in a mode where it pipes the data to tsharkand also has the "control" pipe via which it sends "read N more packets" and other messages, just as it does when writing to a file, as per bug 2743.

Guy Harris gravatar imageGuy Harris ( 2020-04-28 04:34:58 +0000 )edit

Thanks. I didn't think to look to see if there were any bugs around this topic.

Chuckc gravatar imageChuckc ( 2020-04-28 06:13:21 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2020-04-27 08:27:34 +0000

Seen: 754 times

Last updated: Apr 27 '20