Ask Your Question
0

tshark to write packets to text file every minute?

asked 2018-06-14 20:30:55 +0000

shenthil gravatar image

updated 2018-06-21 17:46:44 +0000

grahamb gravatar image

How do we write packet details(hex values) in a text file after every X secs?

tshark -i eth -b duration:10 -x -w trial.txt

i tried this but there are junk values in the files rather than the packet bytes in Hex

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-06-15 04:13:57 +0000

Guy Harris gravatar image

Try

tshark -i eth -b duration:10 -x > trial.txt

-w specifies a file to which to write packet metadata, and the raw packet data, in binary format, i.e. a capture file.

Running without -w will cause TShark to write packet summaries (without -V) or packet details (with -V), as well as packet hex data as text (with -x), to the standard output, so to get it into a file, redirect the standard output to that file.

edit flag offensive delete link more

Comments

When tried as you said, I was getting an error saying Multiple capture files requested

C:\Program Files\Wireshark>tshark -i eth -b duration:10 > test.txt

tshark: Multiple capture files requested, but the capture isn't being saved to a file.

shenthil gravatar imageshenthil ( 2018-06-15 13:44:10 +0000 )edit

When using the -b option, you will need to specify a file to write to. Since it doesn't seem that you actually care about the resulting capture file (which of course also makes one wonder why you're specifying -b in the first place), you may wish to restrict the number of files in the ring buffer to the minimum possible. Unfortunately, due to what seems like a bug to me, you can't specify only 1 file in the ring buffer, so the minimum is 2; therefore try: 

tshark -i eth -b files:2 -b duration:10 -x -w trial.pcapng > trial.txt

You can delete the 2 trial*.pcapng files later if you don't need them. Specifying -b files:1behaves as if the number of files hadn't been specified; you may wish to file a bug report for that behavior at https://bugs ...(more)

cmaynard gravatar imagecmaynard ( 2018-06-15 15:14:19 +0000 )edit

To follow up on my previous comment about the odd behavior of -b files:1, I believe this is just another occurrence of Bug 1650.

In my re-testing of this option, after 10 seconds a 2nd file was opened up by dumpcap but the 1st file wasn't able to be deleted, most likely because tshark was still processing it. Later, dumpcap opened up a 3rd file and deleted the 2nd one. When tshark finally completed its processing of the 1st file, it attempted to open the 2nd one, but since it had already been deleted, tshark complained that the 2nd file didn't exist and exited.

Specifically, the error message seen was:

tshark: The file "ask3578_00002_20190102155128.pcapng" doesn't exist.
cmaynard gravatar imagecmaynard ( 2019-01-02 21:11:46 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-06-14 20:30:55 +0000

Seen: 2,250 times

Last updated: Jun 21 '18

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2