Ask Your Question
0

Tshark output incomplete in real time

asked 2018-04-18 07:42:19 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I ran following Commands :-

1) cat demo.cap | tshark -Tek -r - >> > outputs 8742 packets.

But when i try to tail the file....

2) tail -f -c +0 demo.cap | tshark -Tek -r - >> outputs 8672 packets.

3) tail -f -c +0 demo.cap | tshark -Tek -l -r - >> outputs 8672 packets.

On wireshark UI i get 8742 packets.

Interestingly if I use a capture of libcap format then and use -i instead of -r,

4) tail -f -c +0 demo.cap | tshark -Tek -i - > >> outputs 8742 packets.

it's apparent that, all packets are not seen, I realized Tshark might be buffering its output, but -l is not helping either. can anyone explain where else to look?

edit retag flag offensive close merge delete

Comments

once I append 4kb Garbage at the end of the file, I am able to get all the packets, with an error message as well, which i can conveniently ignore.. but it seems to me when I use -r option, tshark uses input buffer of around 4kb before reading packets...?? can anyone please confirm

himanshu97 gravatar imagehimanshu97 ( 2018-04-18 11:04:01 +0000 )edit

Tshark version, and OS you're running on?

grahamb gravatar imagegrahamb ( 2018-04-18 12:06:55 +0000 )edit

tshark 2.4.3 and 2.2.6 on centos 7

himanshu97 gravatar imagehimanshu97 ( 2018-04-18 14:07:31 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-04-22 14:56:50 +0000

Jim Young gravatar image

Using "tshark -r -" as in:

$ tail -f -c +0 demo.pcap | tshark -r -

Results in two concurrent processes:

$ ps -eaf

...

501 20361 4116 0 10:03AM ttys000 0:00.56 tail -f -c +0 demo.pcap

501 20362 4116 0 10:03AM ttys000 0:00.44 /Applications/Wireshark.app/Contents/MacOS/tshark -r -

...

Using "tshark -i -" as in:

$ tail -f -c +0 demo.pcap | tshark -i -

Results in three concurrent processes:

$ ps -eaf

...

501 20406 4116 0 10:09AM ttys000 0:00.57 tail -f -c +0 demo.pcap

501 20407 4116 0 10:09AM ttys000 0:00.45 /Applications/Wireshark.app/Contents/MacOS/tshark -i -

501 20423 20407 0 10:09AM ttys000 0:00.09 /Applications/Wireshark.app/Contents/MacOS/dumpcap -n -i - -Z none

...

In your examples 2, 3 and 4 you start your pipeline with the command: "tail -f -c +0 demo.cap". As you are aware the tail command with the -f option does not simply exit when it sees EOF; instead it stays open testing to see if any new data is appended to the demo.cap.

In your "... | tshark -Tek -r -" and "... | tshark -Tek -l -r -" cases you are telling tshark to read from a file but the use of the "-" indicates that the file should be the STDIN file handle. In the "... | tshark -Tek -i - " case you are telling tshark to read from a device but the use of the "-" indicates the use of STDIN as a pipe. The tshark -i - case will cause tshark to spawn a dumpcap process to read data from the pipe and pass the data up to tshark similar to the way a live capture data is read.

When using the "tshark -r -" and "tshark -l -r -" options it appears that the last buffer's worth of data may not be reliably accessible to tshark when the pipeline is signaled to terminate.

edit flag offensive delete link more

Comments

yup Figured out same , last buffer it around 4kb.

himanshu97 gravatar imagehimanshu97 ( 2018-05-07 09:40:33 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-18 07:42:19 +0000

Seen: 1,290 times

Last updated: Apr 22 '18