THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

can tshark rotate logs when using json output (-T ek)?

  • retag add tags

I'm trying to ingest packet captures into Elasticsearch, using filebeat. Seems like the ringbuffer doesn'twork when using the option "-T ek". I'm using wireshark 3.0.2 on CentOS 7

JoDT's avatar
1
JoDT
asked 2019-12-23 07:41:03 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What is the full command line you're using for tshark?
Do you get them same warning as in this question:
https://discuss.elastic.co/t/tshark-a...

Chuckc's avatar Chuckc (2019-12-23 14:32:48 +0000) edit
more
  • delete

It's an extra step but can you write the files in raw mode with ring buffer then process back through tshark to feed JSON to filebeat?

Chuckc's avatar Chuckc (2019-12-23 14:43:22 +0000) edit
more
  • delete

The ring buffer mechanism is for raw capture files (pcap or pcapng files), not for dissected output such as text, JSON, PSML/PDML, or ElasticSearch; the dissected output just gets written to the standard output in TShark, and that inherently has no mechanism for rotating files, so the ElasticSearch output has no ring buffer. Are you saying that you're capturing to a raw capture file and using "-T ek" to get dissected output for the same capture, and the raw capture files aren't being treated as a ring buffer?

Guy Harris's avatar Guy Harris (2019-12-24 03:58:58 +0000) edit
more
  • delete

I was only using the -T ek not using the raw capture output. Would piping it to rotatelogs from Apache be an option to get the ringbuffer behaviour? Or would I need to look into the 2-step process? I wanted to get a near real-time feed of tshark into Elastic, so not sure if that's possible with tshark -T ek. Not sure if vichargrave/espcap would be better suited for this

Thanks for the help

JoDT's avatar JoDT (2019-12-31 11:13:27 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The ring buffer is a mechanism in the raw binary capture code path (in dumpcap).

There is no ring buffer mechanism for any -T text formats. Note that those mechanisms write to the standard output stream, not to files created by TShark, so a ring buffer mechanism for text output would require that TShark create the text files itself.

If rotatelogs reads its standard input and writes it to a sequence of log files, switching to a new file based on time or file size (as the documentation implies but does not explicitly state, perhaps assuming it's obvious), then piping the output of TShark to rotatelogs should work.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-12-31 20:34:59 +0000, updated 2020-01-01 04:19:19 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer