This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark revolving file collection

0

I am interested in running a startup script in windows that runs tshark.exe -i 1 -a filesize:100000 -b files:10 -w revolvingfiles

The idea is to only have a maximum of 1GB of harddrive space occupied at any given time, but to have the collection start at boot up. The problem is that when you re-run the command above it finds the next available number and starts its count over. This would would occupy 3GB of space after being run three times.

Is there a way to force tshark to recognize the existence of previous files and to maintain the state of 10 files after multiple executions of the program (ie. after 3 reboots, still having only 10 files)

I understand that I could write a script that deletes the previous set of files, but this is not ideal.

asked 07 Jul '15, 09:58

greenfreq's gravatar image

greenfreq
66127
accept rate: 33%

One Answer:

1

I have a script (batch file) that basically does this. Here's the basic usage:

A batch file that allows you to limit the number of files in a directory or
the total disk space consumed by those files, or both.  Optionally, you can
specify a particular file pattern to match rather than the default, which is
for all files.

WARNING: All files in excess of the maximum allowed WILL BE DELETED!


Usage: maxfiles.bat <-d dir> [options] … where options are:


[-c countlimit] [-s sizelimit] [-p pattern] [-r secs] [-q] [-h]


-d dir        The directory of files. (Required!)
-c countlimit The maximum number of files allowed in the directory.
-s sizelimit  The maximum size limit of the files in the directory.
-p pattern    The file matching pattern. (Default is all files)
-r secs       Run continuously with a specified delay between loops.
-q            Run quietly.
-h            Display this help and exit.

Disclaimer: It hasn’t seen a lot of testing since I just wrote it today, and it has problems with file names that contain certain rather problematic characters in them, but if you avoid naming your files with characters such as "@#$%& ()_+{}~-=[];' then it should be OK. (Some of those characters are actually not a problem, but I forget exactly which ones.)

You indicated that, “but this is not ideal.", so maybe this is of no use to you? Anyway, let me know if you’re interested. I’m not quite sure where I’d post it though, but we’ll figure something out, I guess.

answered 07 Jul ‘15, 14:59

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

In case it’s not obvious, the files that get deleted are the oldest ones in excess of the maximum allowable thresholds set by the caller.

(07 Jul ‘15, 15:05) cmaynard ♦♦

Thank you for the reply, and the offer for the script. In most cases you can post scripts to websites like http://pastebin.com/ which will give you a link that points to the code you pasted.

I would be interested in seeing how the script performs.

(07 Jul ‘15, 15:50) greenfreq

For now, I posted the batch file at https://wiki.wireshark.org/Tools. I found one bug after posting it, so the file there now is the updated one with md5sum = c8984274e92ffa1f09c108471113fed1.

Example usage:

maxfiles.bat -d C:\path\to\captures -c 10 -p .pcap -q

I’ve tested it, but please use with caution since it will delete files! You can report any bugs you find and I’ll try to fix them … or you can feel free to fix them yourself. :)

(07 Jul ‘15, 18:19) cmaynard ♦♦

The potential “problematic characters” I mentioned earlier actually seem all OK to use except for one - the space character, so at least for now, avoid using spaces in your capture file names if you plan to use the batch file.

(07 Jul ‘15, 18:46) cmaynard ♦♦

OK, the problem with spaces in the filename should be fixed now. The current md5sum(maxfiles.bat) = 3609ff3a171da4910e2ccaf42ec5f716.

(07 Jul ‘15, 19:26) cmaynard ♦♦

OK, I’ve forgotten how much I hate working with batch files. I made one more tweak so I updated it once again and the latest md5sum(maxfiles.bat) = 9d7e39d8cd8454a19bde900840d93ebd.

(07 Jul ‘15, 19:37) cmaynard ♦♦

Ok, so to make sure I understand the batch file. It does not execute tshark, but is designed to run in tandem with it, checking periodically to see if the maximum number of files, or maximum size used has been exceeded and then deleting, starting with the oldest file, all files necessary to meet the specific number or size limits. Also, what is the unit of measure for -s?

(08 Jul ‘15, 10:06) greenfreq

Correct. It knows nothing about tshark (or dumpcap or anything else for that matter). It only concerns itself with the files, regardless of what program(s) were used to generate those files.

It could be run once at startup to prune files in a given directory and then terminate, or it could be started so that it continues to monitor the directory by using the -r secs option.

Currently, -s is in units of bytes. I know it’s not necessarily the most convenient unit and I considered using another unit (or allowing other units), but I did not implement that yesterday. Consider that, “an exercise for the reader”. :)

(08 Jul ‘15, 11:00) cmaynard ♦♦
1

I will mark your sccript as an accepted answer as I was able to set up a start up for both it and my tshark script and so now tshark rotates on 10 files and your script clears out anything over 15 files at 30 minute intervals. Thanks again.

(09 Jul ‘15, 08:41) greenfreq

Thanks for the feedback. I’m glad the batch file was useful to you.

(09 Jul ‘15, 08:55) cmaynard ♦♦
showing 5 of 10 show 5 more comments