Ask Your Question
0

How can I delete first n number of frames from memory in tshark

asked 2019-05-11 13:59:16 +0000

P Rao gravatar image

Hello,

I am capturing high throughput traffic for a sufficiently long duration. Is there a way to delete first n number of frames from the memory? I do not need them after some number frames have been received after those n frames. I want to do this several times over the capture duration. This should not disturb the capturing and should not cause data loss. I am OK if this can be achieved through a Lua script.

I am already running tshark with Lua script that is dissecting further the TCP/UDP payload with a proprietary protocol. I can extend this Lua. My Lua needs to keep a few dissected fields as its own objects to complete the dissection. The Lua script also output pcapng files each with a calculated number of frames and this calculation is part of my Lua. Again my dissection and other tasks that Lua does should not be disturbed while clearing those n frames.

I do not use WireShark GUI as I do not need to view anything and no need to jump to old frames at all.

Regards PR

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-11 14:48:36 +0000

grahamb gravatar image

updated 2019-05-11 14:48:50 +0000

Have a look at the ringbuffer option -b (man page here) that splits tshark output into multiple files based on packets, bytes or time. This will affect your lua script but should be reasonably easy to handle.

edit flag offensive delete link more

Comments

I am not sure if this can reduce memory. Per my understanding, it creates a specified amount (duration/Bytes) amount of size of the output file and the memory keep growing. If you still say that it will keep the memory low I can try once more.

P Rao gravatar imageP Rao ( 2019-05-11 15:03:56 +0000 )edit

See this blog entry.

Pascal Quantin gravatar imagePascal Quantin ( 2019-05-11 15:10:38 +0000 )edit

Thanks, @Pascal for sharing this blog. Looks like Tshark has got its share of functionality off late. It was not so appropriate to force Wireshark behavior on it. @grahamb, I will try and share my results. I hope I can adjust my Lua where I have overridden (kind of) the -w and -b option and implemented my own file splitting based on a logical condition. Hope I can find a middle ground.

P Rao gravatar imageP Rao ( 2019-05-11 15:42:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-05-11 13:59:16 +0000

Seen: 595 times

Last updated: May 11 '19