First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark packet capture redirect to file

Hello. When I use command tshark -i eth0 -i eth1 it captures and shows packets of both interfaces. When I use this command tshark -i eth0 > eth0.log -i eth1 > eth1.log It redirects both two files, but captures packets and writes just in second file (e.g. for this time eth1.log). First file (eth0.log) also creates, but does not captures packets and does not write in file, file is empty. I changes places to eth0 and eth1 and same things happen, it works for eth0 and does not work for eth1. Command for single interface also works with no problem. I'm wrong in some command or somethings different happens? Tshark version - TShark (Wireshark) 3.4.10 (Git commit 733b3a137c2b) Linux version - Rocky Linux 9.2

siduki's avatar
1
siduki
asked 2023-06-15 13:45:21 +0000, updated 2023-06-15 13:46:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

tshark man page

Capture to a single file - tshark -i eth0 -i eth1 -w capture.pcapng

Then post process into two files:

$ tshark -r capture.pcapng -2 -R "frame.interface_name==eth0" > eth0.log
$ tshark -r capture.pcapng -2 -R "frame.interface_name==eth1" > eth1.log
Chuckc's avatar
3k
Chuckc
answered 2023-06-15 14:38:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you, it works but there is one thing, when command works in background, second command don't work, process must be aborted, for separate in files with different interface packets. I need run capturing in background model and if needed, check interface packets without interrupting packet capturing. and one another thing, in capture.pcapng file I see some annoying symbols, sometimes my computers processor name and so, but when I process to files as different interface, there everything is shown clear. First time in capture file also was clear everything, but now I don't know, what's happened.

siduki's avatar siduki (2023-06-16 06:40:22 +0000) edit
more
  • delete

Would it be simpler to run two parallel capture processes - one on each interface?

Chuckc's avatar Chuckc (2023-06-16 15:59:52 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer