Ask Your Question

pyshark for live capture - dumpcap and tshark

asked 2021-02-10 07:12:34 +0000

BMWE gravatar image

updated 2021-02-11 16:52:42 +0000


When using tshark it creates temporary files. When it is used for long time, it will create huge files, therefore it is a good idea to limit the size and number of files.

From reading in the internet, when starting tshark, it will automatically use dumpcap.

Now, I'd like to use pyshark to capture the data and import it to python for further analysis. pyshark uses 2 tools (dumpcap and tshark) as follows:

dumpcap -q -i 5 -w -
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

the outfile, format of text output, ring buffer parameters could be changed with the existing interface of pyshark.

However, If I'd like to use display filter (with -Y) or capture filter (-f) I'm getting Multiple capture files requested, but a capture isn't being done which is tshark`s message

What change do you suggest to do so that live capture could be used with capture filter and/or display filter?


I've tested the proposed change below:

dumpcap -q -f length ==162 -i 2 -w - 
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

and still receiving Multiple capture files requested, but a capture isn't being done

What I'm doing wrong?

edit retag flag offensive close merge delete


What is the complete command line being passed when adding the display or capture filters?

grahamb gravatar imagegrahamb ( 2021-02-10 09:10:17 +0000 )edit

For example

tshark -l -n -T pdml -Y udp.port==30000 -r - -b filesize:1024 -b files:1 -w test.pcap -P
BMWE gravatar imageBMWE ( 2021-02-10 09:15:38 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-02-10 17:45:17 +0000

Chuckc gravatar image

When using the -r option, tshark is not in capture mode so capture options are not allowed.

If you want to rotate test.pcap, use -w - and pipe to "magic code here".

dumpcap has a -f <capture filter> option that can limit the data captured and sent to tshark.

tshark man page
-r|--read-file <infile> - Read packet data from infile, ...


       * "-r" was specified, so we're reading a capture file.
       * Capture options don't apply here.
edit flag offensive delete link more


OK, so according to my understanding, I shall change the code so that the capture filter (or display filter) would be on dumpcap and use the tshark regularly as on my question. Am I understanding right?

BMWE gravatar imageBMWE ( 2021-02-10 17:52:45 +0000 )edit

Yes with the caveat that dumpcap only supports capture filters.

Chuckc gravatar imageChuckc ( 2021-02-10 18:47:02 +0000 )edit

So if I have some custom dissector with 6 types of messages, how can I filter specific message? Lets say the protocol name is my_protocol and contains message setum_cmd and status_rpt. I'd like to filter one of them. How my command shall look like? (never did it)

BMWE gravatar imageBMWE ( 2021-02-10 18:50:51 +0000 )edit

Sorry. I forgot to add in to use the display filter on tshark:

C:\>dumpcap -q -i 6 -w - | tshark -l -n -r - -w test.pcap -P -Y icmp
Capturing on 'Ethernet'
File: -
   71   5.404530      ICMP 98 eth:ethertype:ip:icmp:data            1 (0x0001) 256 (0x0100) 8960 (0x2300),35 (0x0023)    Echo (ping) request  id=0x0023, seq=1/256, ttl=128
   72   5.473056 ICMP 98 eth:ethertype:ip:icmp:data            1 (0x0001) 256 (0x0100) 8960 (0x2300),35 (0x0023)    Echo (ping) reply    id=0x0023, seq=1/256, ttl=118 (request in 71)
Chuckc gravatar imageChuckc ( 2021-02-10 20:02:51 +0000 )edit

Mr. @Chuckc, your last comment is not answering the issue. The example you have provided is working as there is no -b flag I need the -b flag as part of the tcpdump and there the filter won't work. Can you please refer to my last comment?

BMWE gravatar imageBMWE ( 2021-02-10 20:10:35 +0000 )edit

When using the -r option with tshark, it is not in capture mode so the -b options are not valid.
What was the goal of using -b?

Chuckc gravatar imageChuckc ( 2021-02-10 20:25:04 +0000 )edit

The -b is in order to limit the size of files that are going to be generated (my program shall tun for long time)

BMWE gravatar imageBMWE ( 2021-02-11 06:13:33 +0000 )edit

P.S. see edit in the original question

BMWE gravatar imageBMWE ( 2021-02-11 16:54:20 +0000 )edit

-b is a capture mode option. When -r is used, tshark is in read-mode, not capture mode.

There is an open issue ( tshark, when run without -w, should have dumpcap pipe the packets to it) which is the original issue of temp growing without bounds.
The work around was to run dumpcap -w - | tshark -r - so that the capture data is sent to tshark via a pipe.

But now the output file (-w /tmp/pyshark.cap) from tshark grows too large so something is need to limit it's size.

Option #1 - have tshark write to stdout (-w) and provide your own solution to create the output file and rotate it as need to limit the size.
Option #2 - open an enhancement request

Here is a similar request to limit the output filesize - TShark and Rotating JSON Files

Chuckc gravatar imageChuckc ( 2021-02-11 18:11:33 +0000 )edit

@BMWE I think I got a simple workaround solution for your filter issue "So if I have some custom dissector with 6 types of messages, how can I filter specific message?". For every message you can add a hidden proto field (use set_hidden) with the the abbreviation as the filter name. Now you have a capture filter for every message and the filter is the name of the message (for example "protcol.status_rpt"). So if you can use this capture filter to filter only what you want it may maybe help you.

TalH gravatar imageTalH ( 2021-02-25 10:28:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-02-10 07:12:34 +0000

Seen: 1,543 times

Last updated: Feb 11 '21