can tshark rotate logs when using json output (-T ek)?
I'm trying to ingest packet captures into Elasticsearch, using filebeat. Seems like the ringbuffer doesn'twork when using the option "-T ek". I'm using wireshark 3.0.2 on CentOS 7
Comments
What is the full command line you're using for
tshark
?Do you get them same warning as in this question:
https://discuss.elastic.co/t/tshark-a...
It's an extra step but can you write the files in raw mode with ring buffer then process back through
tshark
to feed JSON to filebeat?The ring buffer mechanism is for raw capture files (pcap or pcapng files), not for dissected output such as text, JSON, PSML/PDML, or ElasticSearch; the dissected output just gets written to the standard output in TShark, and that inherently has no mechanism for rotating files, so the ElasticSearch output has no ring buffer. Are you saying that you're capturing to a raw capture file and using "-T ek" to get dissected output for the same capture, and the raw capture files aren't being treated as a ring buffer?
I was only using the -T ek not using the raw capture output. Would piping it to rotatelogs from Apache be an option to get the ringbuffer behaviour? Or would I need to look into the 2-step process? I wanted to get a near real-time feed of tshark into Elastic, so not sure if that's possible with tshark -T ek. Not sure if vichargrave/espcap would be better suited for this
Thanks for the help