First time here? Check out the FAQ!

THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.

Ask Your Question

0

tshark tmp file not stop growing

elasticsearch
tshark
retag add tags

I am sending packets from tshark into elasticsearch:

tshark -i ens5 -T ek -x -j -l

My issue is that the tmp file still has the initial packet in it and continues to grow:

capinfos /tmp/wireshark_ens5_20190411122510_JlODTv.pcapng | grep time First packet time:
2019-04-11 12:25:10.637409777 Last packet time: 2019-04-15

Is there any method of pruning the tshark tmp file after the data has been sent to elasticsearch?

asked 2019-04-15 16:34:53 +0000, updated 2019-04-15 16:35:19 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

Sort by

0

Have you looked into the capture ring buffer option -b, see the manual page.

answered 2019-04-15 17:56:16 +0000

edit flag offensive 0 remove flag delete link

Comments

In my case the packets are being fed into ElasticSearch in RealTime.

There is no purpose for having the packets stored in a file once they are ingested into ElasticSearch.

As such, I do not see a ringbuffer working, am I missing something?

xq1xq1xq1 (2019-04-15 19:13:06 +0000) edit

add a comment see more comments

0

Is there any method of pruning the tshark tmp file after the data has been sent to elasticsearch?

No. There is, at best, a method for discarding packets once more than a certain number have been written - the ring buffer option mentioned by @Jaap.

answered 2019-04-15 20:21:17 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.