Ask Your Question
0

Using -V and -b causes ring buffer to fail?

asked 2025-07-14 22:27:52 +0000

veciot gravatar image

Hello,

Hello, I'm having an issue with TShark (Wireshark) 4.4.7 on Ubuntu 24.04.2

I'm trying to get Tshark to run continuously while printing packet details with -V to stdout I want to use -b to split the capture every so often to cut down on memory/storage usage.

Running like this runs the ring buffer just fine, but without the packet details I need

tshark -b filesize:1000 -b files:2 -w /tmp/test

Running like this prints the packet details I need, but after the file size limit is reached, tshark stops instead of moving to the next file

tshark -V -b filesize:1000 -b files:2 -w /tmp/test

Does anyone know a way around this or a fix?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-07-15 02:14:55 +0000

Chuckc gravatar image

tshark is calling dumpcap to do the capture and maintain the ring buffer.
(See diagram in WSDG: Chapter 7. How Wireshark Works.)

I think you're getting a race condition where dumpcap is wrapping the ring buffer before tshark is done processing a file. Are you catching stderr when starting tshark?

You might try more smaller files: -b filesize:100 -b files:20.

250714_ring_buffer$ "$WS_BIN/tshark.exe" -i 4 -b filesize:10 -b files:2 -w foo -V > tshark.out 2>tshark.err

250714_ring_buffer$ cat tshark.err
Capturing on 'Intel(R) Ethernet Connection I218-LM'
tshark: The file "foo_00005_20250714210249" doesn't exist.
121 packets captured

250714_ring_buffer$ tail -10 ./tshark.out
        Frame Type: PING (0x0000000000000001)
    CRYPTO
        Frame Type: CRYPTO (0x0000000000000006)
        Offset: 45
        Length: 5
        Crypto Data
    PADDING Length: 3
        Frame Type: PADDING (0x0000000000000000)
        [Padding Length: 3]
edit flag offensive delete link more

Comments

I tried the method of using more files and smaller sizes (-b filesize:10 -b files:20) and got the same error your did saying "The file "xxxxxx" doesn't exist". I do get stdout normally, but this is the first time anything has come up aside from the usual "xxx packets captured" message that appears when tshark exits.

This does show that you are correct that it's a race condition issue. Do you know if there's a way around it?

veciot gravatar imageveciot ( 2025-07-15 12:31:49 +0000 )edit

When I tried running tshark.exe" -i 5 -b filesize:10 -b files:2 -w foo -V > tshark.out 2>tshark.err with Wireshark 4.4.7 on Windows 11, it terminated after a short time.

Here's the similar message regarding in the tshark.err file about the non-existent capture file:

Capturing on 'Wi-Fi'
tshark: The file "foo_00022_20250715102639" doesn't exist.
793 packets captured

These were the pcap files generated:

dir /b foo*
foo_00021_20250715102639
foo_00024_20250715102639
foo_00025_20250715102639
cmaynard gravatar imagecmaynard ( 2025-07-15 14:35:58 +0000 )edit

-V is a bit of a sledgehammer. Can you reduce the work on tshark by only printing certain fields with -e or only process packets that match a display filter (-Y) ?

There is an Ask question (Long running tshark process and "-M" flag) and open issue (20431: Long running tshark with "-M 10000" keeps consuming memory) that might help.

Chuckc gravatar imageChuckc ( 2025-07-15 14:38:09 +0000 )edit

@cmaynard the extra file (foo_00021...) might mean that dumpcap could not delete it because tshark was holding it open for processing?

Chuckc gravatar imageChuckc ( 2025-07-15 14:41:10 +0000 )edit

I'm not sure. I tried with the -l option, but that didn't help at all.

Here's the head of the tshark.err file now:

Capturing on 'Wi-Fi'
tshark: The file "foo_00034_20250715104052" doesn't exist.
936 packets captured

And even more files were left over than before:

dir /b foo*
foo_00003_20250715104029
foo_00005_20250715104029
foo_00010_20250715104032
foo_00031_20250715104051
foo_00033_20250715104051
foo_00035_20250715104052
foo_00036_20250715104052
cmaynard gravatar imagecmaynard ( 2025-07-15 14:45:05 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-07-14 22:27:52 +0000

Seen: 25 times

Last updated: yesterday

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark