tshark tmp file not stop growing

xq1xq1xq1
1 ●1 ●1

I am sending packets from tshark into elasticsearch:

tshark -i ens5 -T ek -x -j -l

My issue is that the tmp file still has the initial packet in it and continues to grow:

capinfos /tmp/wireshark_ens5_20190411122510_JlODTv.pcapng | grep time First packet time:
2019-04-11 12:25:10.637409777 Last packet time: 2019-04-15

Is there any method of pruning the tshark tmp file after the data has been sent to elasticsearch?

2 Answers

Sort by » oldest newest most voted

Guy Harris
19890 ●3 ●659 ●207

Is there any method of pruning the tshark tmp file after the data has been sent to elasticsearch?

No. There is, at best, a method for discarding packets once more than a certain number have been written - the ring buffer option mentioned by @Jaap.

13742 ●710 ●115

Have you looked into the capture ring buffer option -b, see the manual page.

In my case the packets are being fed into ElasticSearch in RealTime.

There is no purpose for having the packets stored in a file once they are ingested into ElasticSearch.

As such, I do not see a ringbuffer working, am I missing something?

xq1xq1xq1 ( 2019-04-15 19:13:06 +0000 )edit

Please start posting anonymously - your entry will be published after you log in or create a new account.