First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark to write packets to text file every minute?

  • retag add tags

How do we write packet details(hex values) in a text file after every X secs?

tshark -i eth -b duration:10 -x -w trial.txt

i tried this but there are junk values in the files rather than the packet bytes in Hex

shenthil's avatar
1
shenthil
asked 2018-06-14 20:30:55 +0000
grahamb's avatar
23.8k
grahamb
updated 2018-06-21 17:46:44 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Try

tshark -i eth -b duration:10 -x > trial.txt

-w specifies a file to which to write packet metadata, and the raw packet data, in binary format, i.e. a capture file.

Running without -w will cause TShark to write packet summaries (without -V) or packet details (with -V), as well as packet hex data as text (with -x), to the standard output, so to get it into a file, redirect the standard output to that file.

Guy Harris's avatar
19.9k
Guy Harris
answered 2018-06-15 04:13:57 +0000
edit flag offensive 0 remove flag delete link
more

Comments

When tried as you said, I was getting an error saying Multiple capture files requested

C:\Program Files\Wireshark>tshark -i eth -b duration:10 > test.txt

tshark: Multiple capture files requested, but the capture isn't being saved to a file.

shenthil's avatar shenthil (2018-06-15 13:44:10 +0000) edit
more
  • delete

When using the -b option, you will need to specify a file to write to. Since it doesn't seem that you actually care about the resulting capture file (which of course also makes one wonder why you're specifying -b in the first place), you may wish to restrict the number of files in the ring buffer to the minimum possible. Unfortunately, due to what seems like a bug to me, you can't specify only 1 file in the ring buffer, so the minimum is 2; therefore try: 

tshark -i eth -b files:2 -b duration:10 -x -w trial.pcapng > trial.txt

You can delete the 2 trial*.pcapng files later if you don't need them. Specifying -b files:1behaves as if the number of files hadn't been specified; you may wish to file a bug report for that behavior at https://bugs ... (more)

cmaynard's avatar cmaynard (2018-06-15 15:14:19 +0000) edit
more
  • delete

To follow up on my previous comment about the odd behavior of -b files:1, I believe this is just another occurrence of Bug 1650.

In my re-testing of this option, after 10 seconds a 2nd file was opened up by dumpcap but the 1st file wasn't able to be deleted, most likely because tshark was still processing it. Later, dumpcap opened up a 3rd file and deleted the 2nd one. When tshark finally completed its processing of the 1st file, it attempted to open the 2nd one, but since it had already been deleted, tshark complained that the 2nd file didn't exist and exited.

Specifically, the error message seen was:

tshark: The file "ask3578_00002_20190102155128.pcapng" doesn't exist.
cmaynard's avatar cmaynard (2019-01-02 21:11:46 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer