Ask Your Question

tshark to write packets to text file every minute?

asked 2018-06-14 20:30:55 +0000

How do we write packet details(hex values) in a text file after every X secs?

tshark -i eth -b duration:10 -x -w trial.txt i tried this but there are junk values in the files rather than the packet bytes in Hex

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-06-15 04:13:57 +0000

Guy Harris gravatar image


tshark -i eth -b duration:10 -x > trial.txt

-w specifies a file to which to write packet metadata, and the raw packet data, in binary format, i.e. a capture file.

Running without -w will cause TShark to write packet summaries (without -V) or packet details (with -V), as well as packet hex data as text (with -x), to the standard output, so to get it into a file, redirect the standard output to that file.

edit flag offensive delete link more


When tried as you said, I was getting an error saying Multiple capture files requested

C:\Program Files\Wireshark>tshark -i eth -b duration:10 > test.txt

tshark: Multiple capture files requested, but the capture isn't being saved to a file.

shenthil gravatar imageshenthil ( 2018-06-15 13:44:10 +0000 )edit

When using the -b option, you will need to specify a file to write to. Since it doesn't seem that you actually care about the resulting capture file (which of course also makes one wonder why you're specifying -b in the first place), you may wish to restrict the number of files in the ring buffer to the minimum possible. Unfortunately, due to what seems like a bug to me, you can't specify only 1 file in the ring buffer, so the minimum is 2; therefore try:

tshark -i eth -b files:2 -b duration:10 -x -w trial.pcapng > trial.txt

You can delete the 2 trial*.pcapng files later if you don't need them. Specifying -b files:1behaves as if the number of files hadn't been specified; you may wish to file a bug report for that behavior at https://bugs ...(more)

cmaynard gravatar imagecmaynard ( 2018-06-15 15:14:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-14 20:30:55 +0000

Seen: 14 times

Last updated: 2 days ago