First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark packet counter disable

Hello. I use command "tshark -i eth1 > packet.log &" When I run this command, everything works normally, but here one annoying thing, on cli display runs counter, which counts packets. I this moment, when I write some command, it deletes from this counter, because it adds new packet count. In this time, command is write and can be used, but can not be seen, what is there typed. I'm interested, is this but or is there some option, whit I can disable this counter? Thank you.

tshark version - tshark -v
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 3.4.10 (Git commit 733b3a137c2b)

Copyright 1998-2021 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.68.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.17.1, without
Lua, with GnuTLS 3.7.6 and PKCS #11 support, with Gcrypt 1.10.0-unknown, with
MIT Kerberos, without MaxMind DB resolver, with nghttp2 1.43.0, without brotli,
without LZ4, with Zstandard, without Snappy, without libxml2.

Running on Linux 5.14.0-284.11.1.el9_2.x86_64, with 11th Gen Intel(R) Core(TM)
i7-1165G7 @ 2.80GHz (with SSE4.2), with 454 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.10.0 (with TPACKET_V3), with GnuTLS 3.7.6,
with Gcrypt 1.10.0-unknown, with zlib 1.2.11, binary plugins supported (0
loaded).

Built using gcc 11.3.1 20221121 (Red Hat 11.3.1-4).
siduki's avatar
1
siduki
asked 2023-06-14 07:54:53 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2023-06-14 15:30:08 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you update question with output of tshark -v.

Chuckc's avatar Chuckc (2023-06-14 14:30:11 +0000) edit
more
  • delete

The info:

tshark -v
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 3.4.10 (Git commit 733b3a137c2b)

Copyright 1998-2021 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.68.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.17.1, without
Lua, with GnuTLS 3.7.6 and PKCS #11 support, with Gcrypt 1.10.0-unknown, with
MIT Kerberos, without MaxMind DB resolver, with nghttp2 1.43.0, without brotli,
without LZ4, with Zstandard, without Snappy, without libxml2.

Running on Linux 5.14.0-284.11.1.el9_2 ...
(more)
siduki's avatar siduki (2023-06-14 15:22:16 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

The tshark man page documents the -Q and -P options. For example:

tshark -i en0 -Q -P > packet.log &

Jim Young's avatar
196
Jim Young
answered 2023-06-14 15:39:40 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Yes, this works but as the man page for the -Q option indicates, "Only true errors are displayed on the standard error.", so it's possible that there could still be output printed to stderr in some cases. Overall, I do recommend using the -Q -P options, but it may still be useful to redirect stderr to /dev/null if you don't want to see any errors whatsoever.

Also, while I did look at both the -q and -Q options, I neglected to look at the -P option, despite it being right above these other two options. The -P option clearly indicates that output will be generated "... even if packet output is otherwise suppressed with -Q."; however, there is no similar indication in the description of the -Q option that the -P option will override it. I think it would be nice if the documentation for both the -Q ... (more)

cmaynard's avatar cmaynard (2023-06-14 16:38:11 +0000) edit
more
  • delete
add a comment see more comments
0

From the tshark.c source code:

if (print_packet_counts) {
    /* We're printing packet counts. */
    if (packet_count != 0) {
        fprintf(stderr, "\r%u ", packet_count);
        /* stderr could be line buffered */
        fflush(stderr);
    }
}

Since the packet count is written to stderr, you should be able to redirect it to /dev/null to suppress it, e.g.:

tshark -i eth1 > packet.log 2> /dev/null &
cmaynard's avatar
11.1k
cmaynard
answered 2023-06-14 15:24:34 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you. It works without &, with &, there is output something like this [7] 2040 and don't work in background.

siduki's avatar siduki (2023-06-14 15:35:58 +0000) edit
more
  • delete

That's the process number of the background process being displayed. You should be able to suppress that using the instructions provided here: https://unix.stackexchange.com/questi...

For example:

( tshark -i eth1 > packet.log 2> /dev/null & ) > /dev/null 2>&1
cmaynard's avatar cmaynard (2023-06-14 16:42:56 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer