Ask Your Question
0

tshark packet capture redirect to file

asked 2023-06-15 13:45:21 +0000

siduki gravatar image

updated 2023-06-15 13:46:29 +0000

Hello. When I use command tshark -i eth0 -i eth1 it captures and shows packets of both interfaces. When I use this command tshark -i eth0 > eth0.log -i eth1 > eth1.log It redirects both two files, but captures packets and writes just in second file (e.g. for this time eth1.log). First file (eth0.log) also creates, but does not captures packets and does not write in file, file is empty. I changes places to eth0 and eth1 and same things happen, it works for eth0 and does not work for eth1. Command for single interface also works with no problem. I'm wrong in some command or somethings different happens? Tshark version - TShark (Wireshark) 3.4.10 (Git commit 733b3a137c2b) Linux version - Rocky Linux 9.2

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-06-15 14:38:49 +0000

Chuckc gravatar image

tshark man page

Capture to a single file - tshark -i eth0 -i eth1 -w capture.pcapng

Then post process into two files:

$ tshark -r capture.pcapng -2 -R "frame.interface_name==eth0" > eth0.log
$ tshark -r capture.pcapng -2 -R "frame.interface_name==eth1" > eth1.log
edit flag offensive delete link more

Comments

Thank you, it works but there is one thing, when command works in background, second command don't work, process must be aborted, for separate in files with different interface packets. I need run capturing in background model and if needed, check interface packets without interrupting packet capturing. and one another thing, in capture.pcapng file I see some annoying symbols, sometimes my computers processor name and so, but when I process to files as different interface, there everything is shown clear. First time in capture file also was clear everything, but now I don't know, what's happened.

siduki gravatar imagesiduki ( 2023-06-16 06:40:22 +0000 )edit

Would it be simpler to run two parallel capture processes - one on each interface?

Chuckc gravatar imageChuckc ( 2023-06-16 15:59:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-06-15 13:45:21 +0000

Seen: 688 times

Last updated: Jun 15 '23