Ask Your Question
0

How can I delete first n number of frames from memory in tshark

asked 2019-05-11 13:59:16 +0000

P Rao gravatar image

Hello,

I am capturing high throughput traffic for a sufficiently long duration. Is there a way to delete first n number of frames from the memory? I do not need them after some number frames have been received after those n frames. I want to do this several times over the capture duration. This should not disturb the capturing and should not cause data loss. I am OK if this can be achieved through a Lua script.

I am already running tshark with Lua script that is dissecting further the TCP/UDP payload with a proprietary protocol. I can extend this Lua. My Lua needs to keep a few dissected fields as its own objects to complete the dissection. The Lua script also output pcapng files each with a calculated number of frames and this calculation is part of my Lua. Again my dissection and other tasks that Lua does should not be disturbed while clearing those n frames.

I do not use WireShark GUI as I do not need to view anything and no need to jump to old frames at all.

Regards PR

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-11 14:48:36 +0000

grahamb gravatar image

updated 2019-05-11 14:48:50 +0000

Have a look at the ringbuffer option -b (man page here) that splits tshark output into multiple files based on packets, bytes or time. This will affect your lua script but should be reasonably easy to handle.

edit flag offensive delete link more

Comments

I am not sure if this can reduce memory. Per my understanding, it creates a specified amount (duration/Bytes) amount of size of the output file and the memory keep growing. If you still say that it will keep the memory low I can try once more.

P Rao gravatar imageP Rao ( 2019-05-11 15:03:56 +0000 )edit

See this blog entry.

Pascal Quantin gravatar imagePascal Quantin ( 2019-05-11 15:10:38 +0000 )edit

Thanks, @Pascal for sharing this blog. Looks like Tshark has got its share of functionality off late. It was not so appropriate to force Wireshark behavior on it. @grahamb, I will try and share my results. I hope I can adjust my Lua where I have overridden (kind of) the -w and -b option and implemented my own file splitting based on a logical condition. Hope I can find a middle ground.

P Rao gravatar imageP Rao ( 2019-05-11 15:42:58 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-05-11 13:59:16 +0000

Seen: 498 times

Last updated: May 11 '19

Related questions

Any way to use cmd tshark for a gns3 wire?

lua script for 80211ah

how to invert two bytes in lua script dissector ?

Adjusting Bit order and Endianess in LUA between Dissectors

Error while creating a Lua listener in 2.4.2 with filter

Lua Dumper to variable

http2 decrypted data in tshark lua script

Decode as LUA - how do I do that?

LUA: dissector wide global table

Deduplication in tshark -T ek [closed]

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2