Ask Your Question
0

pyshark for live capture - dumpcap and tshark

asked 2021-02-10 07:12:34 +0000

BMWE gravatar image

updated 2021-02-11 16:52:42 +0000

Hello,

When using tshark it creates temporary files. When it is used for long time, it will create huge files, therefore it is a good idea to limit the size and number of files.

From reading in the internet, when starting tshark, it will automatically use dumpcap.

Now, I'd like to use pyshark to capture the data and import it to python for further analysis. pyshark uses 2 tools (dumpcap and tshark) as follows:

dumpcap -q -i 5 -w -
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

the outfile, format of text output, ring buffer parameters could be changed with the existing interface of pyshark.

However, If I'd like to use display filter (with -Y) or capture filter (-f) I'm getting Multiple capture files requested, but a capture isn't being done which is tshark`s message

What change do you suggest to do so that live capture could be used with capture filter and/or display filter?

EDIT:

I've tested the proposed change below:

dumpcap -q -f length ==162 -i 2 -w - 
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

and still receiving Multiple capture files requested, but a capture isn't being done

What I'm doing wrong?

edit retag flag offensive close merge delete

Comments

What is the complete command line being passed when adding the display or capture filters?

grahamb gravatar imagegrahamb ( 2021-02-10 09:10:17 +0000 )edit

For example

tshark -l -n -T pdml -Y udp.port==30000 -r - -b filesize:1024 -b files:1 -w test.pcap -P
BMWE gravatar imageBMWE ( 2021-02-10 09:15:38 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-02-10 17:45:17 +0000

Chuckc gravatar image

When using the -r option, tshark is not in capture mode so capture options are not allowed.

If you want to rotate test.pcap, use -w - and pipe to "magic code here".

dumpcap has a -f <capture filter> option that can limit the data captured and sent to tshark.

tshark man page
-r|--read-file <infile> - Read packet data from infile, ...

tshark.c

      /*
       * "-r" was specified, so we're reading a capture file.
       * Capture options don't apply here.
       */
edit flag offensive delete link more

Comments

OK, so according to my understanding, I shall change the code so that the capture filter (or display filter) would be on dumpcap and use the tshark regularly as on my question. Am I understanding right?

BMWE gravatar imageBMWE ( 2021-02-10 17:52:45 +0000 )edit

Yes with the caveat that dumpcap only supports capture filters.

Chuckc gravatar imageChuckc ( 2021-02-10 18:47:02 +0000 )edit

So if I have some custom dissector with 6 types of messages, how can I filter specific message? Lets say the protocol name is my_protocol and contains message setum_cmd and status_rpt. I'd like to filter one of them. How my command shall look like? (never did it)

BMWE gravatar imageBMWE ( 2021-02-10 18:50:51 +0000 )edit

Sorry. I forgot to add in to use the display filter on tshark:

C:\>dumpcap -q -i 6 -w - | tshark -l -n -r - -w test.pcap -P -Y icmp
Capturing on 'Ethernet'
File: -
   71   5.404530 192.168.200.135 8.8.8.8      ICMP 98 eth:ethertype:ip:icmp:data            1 (0x0001) 256 (0x0100) 8960 (0x2300),35 (0x0023)    Echo (ping) request  id=0x0023, seq=1/256, ttl=128
   72   5.473056      8.8.8.8 192.168.200.135 ICMP 98 eth:ethertype:ip:icmp:data            1 (0x0001) 256 (0x0100) 8960 (0x2300),35 (0x0023)    Echo (ping) reply    id=0x0023, seq=1/256, ttl=118 (request in 71)
Chuckc gravatar imageChuckc ( 2021-02-10 20:02:51 +0000 )edit

Mr. @Chuckc, your last comment is not answering the issue. The example you have provided is working as there is no -b flag I need the -b flag as part of the tcpdump and there the filter won't work. Can you please refer to my last comment?

BMWE gravatar imageBMWE ( 2021-02-10 20:10:35 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-02-10 07:12:34 +0000

Seen: 1,706 times

Last updated: Feb 11 '21

Related questions

Dumpcap/TCPDump packet loss when writing data to disk with high traffic

Cannot remote capture and filter?

Step by step SSL decrypt with wireshark

Unable to write to standard output: The pipe is being closed.

Ignored Unknown Record

How to kill dumpcap.exe - not able to kill it with taskkill running as admin

Can't see encrypted application data in SSL session

How to use rawshark to analyse a pcap file which is generated by tcpdump?

How can we dump pcap file data onto CAN bus

Link layer header type for serial/UART communication