First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark - Can I use ring buffer with text files

Hello, I log a lot of data and I use text files with tshark, using "-T json" option. I want to create small multiple text files instead of 1 big file. I tried the "-b interval:1000 -b files:100" to create subfiles of 1Mo but it only works for pcap files, not for json (wich is the output by the way). Do you know a way of doing it with tshark ?

If not I will have to try to change the output path during the acquisition. Or stopping then restarting with new path...but I'm not really satisfied with this... Thanks and see you.

TenJigoku's avatar
1
TenJigoku
asked 2024-04-10 11:19:36 +0000
edit flag offensive 0 remove flag close merge delete

Comments

The diagram here (WSDG: 7.2. Overview) shows Wireshark but also applies to tshark. Capture (and the ring buffering) is done with dumpcap.
A script monitoring the ring buffer directory looking for new files, process them with tshark to JSON output then discard the capture file? (Easier on *nix (tm). Doable on Windows?)

Chuckc's avatar Chuckc (2024-04-10 14:44:06 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Do you know a way of doing it with tshark ?

Text dissections are written by TShark to the standard output, so there is no mechanism in TShark to do that.

You could have a program that reads the -T json output of TShark and writes that out in separate files; that program would have to understand the JSON output to an extent necessary to avoid splitting a single packet's JSON between files.

Guy Harris's avatar
19.9k
Guy Harris
answered 2024-04-10 21:55:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer