tshark to write packets to text file every minute?

asked 2018-06-14

How do we write packet details(hex values) in a text file after every X secs?

tshark -i eth -b duration:10 -x -w trial.txt i tried this but there are junk values in the files rather than the packet bytes in Hex

answered 2018-06-15

Guy Harris


tshark -i eth -b duration:10 -x > trial.txt

-w specifies a file to which to write packet metadata, and the raw packet data, in binary format, i.e. a capture file.

Running without -w will cause TShark to write packet summaries (without -V) or packet details (with -V), as well as packet hex data as text (with -x), to the standard output, so to get it into a file, redirect the standard output to that file.

When tried as you said, I was getting an error saying Multiple capture files requested

C:\Program Files\Wireshark>tshark -i eth -b duration:10 > test.txt

tshark: Multiple capture files requested, but the capture isn't being saved to a file.

shenthil ( 2018-06-15 )

When using the -b option, you will need to specify a file to write to. Since it doesn't seem that you actually care about the resulting capture file (which of course also makes one wonder why you're specifying -b in the first place), you may wish to restrict the number of files in the ring buffer to the minimum possible. Unfortunately, due to what seems like a bug to me, you can't specify only 1 file in the ring buffer, so the minimum is 2; therefore try:

tshark -i eth -b files:2 -b duration:10 -x -w trial.pcapng > trial.txt

You can delete the 2 trial*.pcapng files later if you don't need them. Specifying -b files:1behaves as if the number of files hadn't been specified; you may wish to file a bug report for that behavior at https://bugs ...(more)

cmaynard ( 2018-06-15 )

Asked: 2018-06-14

