Wireshark mailing list archives
how to use tshark and *not* create a capture file
From: Sean Hennessey <shenness () icontact com>
Date: Thu, 8 Dec 2011 18:07:22 +0000
I'm starting to play w/ tshark (long time tcpdump user) and have run into an interesting problem I hope has a simple
solution.
I'm on a RHEL machine that sees a ton of traffic. I run tshark -a duration:600 -l -ta and pipe the output to some cuts
and sorts, etc to massage the data how I want. Imagine my surprise when I get a disk alert that /tmp has filled up.
Taking a peek I see a huge wiresharkXXXX..... file there. Even if I knock the time down to :60 or even run tshark w/ no
-a, I'm still getting the wireshark files hanging out. I don't want any capture saved at all, unless I give it the -w
option.
Doing some reading I figure it's dumpcaps fault, so I try to make a named pipe and run one command to use dumpcap to
write to the named pipe and one tshark to read from, but no dice. I create the fifo and run dumpcap -p -w dmpcap and
get:
The file to which the capture would be saved ("dmpcap") could not be opened: Resource temporarily unavailable.
What in the world am I messing up here? I just want the output to stdout, with no disk space used for temp files.
Surely this is possible?
tshark -v
TShark 1.2.15
Copyright 1998-2011 Gerald Combs <gerald () wireshark org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.22.5, with libpcap 1.0.0, with libz 1.2.3, without
POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, without c-ares, without
ADNS, without Lua, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos,
without GeoIP.
Running on Linux 2.6.32-131.6.1.el6.x86_64, with libpcap version 1.0.0, GnuTLS
2.8.5, Gcrypt 1.4.5.
Built using gcc 4.4.5 20110214 (Red Hat 4.4.5-6).
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how to use tshark and *not* create a capture file Sean Hennessey (Dec 08)
- Re: how to use tshark and *not* create a capture file Guy Harris (Dec 08)