Ask Your Question
0

Does tshark has an equivalent option of tcpdump [ -z postrotate-command ]

asked 2024-04-24 19:34:36 +0000

ZenXen gravatar image

updated 2024-04-24 19:40:21 +0000

I would like to use tshark capture packets with rotated files infinitely, after each rotated file is finished, I want to tshark to run post rotation command to upload the rotated file to remote for analysis due to limited local storage.

I read tshark man https://www.wireshark.org/docs/man-pa... but it seems there is no equivalent option of tcpcump [ -z postrotate-command ].

Can I achieve the goal using tshark?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-04-24 20:09:28 +0000

Jaap gravatar image

tshark doesn't have that, and also you do not want to use tshark for this.

Tshark is for packet dissection and that is not what you are after. You're looking for packet capture. Tshark doesn't do that, it spawns dumpcap for this. Tshark then takes that output and dissects it. While doing to it keeps state, which will potentially eventually eat all your memory.

What you want to do instead is use dumpcap directly. Even though it also does not have a post rotation command, it at least works on capture and capture only.

edit flag offensive delete link more

Comments

thanks for reply.

I used tcpdump to do the work and use tshark process pcap file; but because of security concerns, I would like to remove sensitive packet payloads/fields before saving to pcap files. Using --snaplen from tcpdump is not flexible, I thought tshark could take and inspect packets but it is turned out it is lack of a similar option -z of tcpdump.

ZenXen gravatar imageZenXen ( 2024-04-25 05:31:39 +0000 )edit

An enhancement to dumpcap and/or tshark could possibly be made to support a postrotate command to match tcpdump'sfunctionality. File an enhancement issue at https://gitlab.com/wireshark/wireshar... if this is something you'd like to see happen, and possibly someone will implement it.

cmaynard gravatar imagecmaynard ( 2024-04-30 14:22:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-04-24 19:34:36 +0000

Seen: 309 times

Last updated: Apr 25