Wireshark mailing list archives
how to use tshark and *not* create a capture file
From: Sean Hennessey <shenness () icontact com>
Date: Thu, 8 Dec 2011 18:07:22 +0000
I'm starting to play w/ tshark (long time tcpdump user) and have run into an interesting problem I hope has a simple solution. I'm on a RHEL machine that sees a ton of traffic. I run tshark -a duration:600 -l -ta and pipe the output to some cuts and sorts, etc to massage the data how I want. Imagine my surprise when I get a disk alert that /tmp has filled up. Taking a peek I see a huge wiresharkXXXX..... file there. Even if I knock the time down to :60 or even run tshark w/ no -a, I'm still getting the wireshark files hanging out. I don't want any capture saved at all, unless I give it the -w option. Doing some reading I figure it's dumpcaps fault, so I try to make a named pipe and run one command to use dumpcap to write to the named pipe and one tshark to read from, but no dice. I create the fifo and run dumpcap -p -w dmpcap and get: The file to which the capture would be saved ("dmpcap") could not be opened: Resource temporarily unavailable. What in the world am I messing up here? I just want the output to stdout, with no disk space used for temp files. Surely this is possible? tshark -v TShark 1.2.15 Copyright 1998-2011 Gerald Combs <gerald () wireshark org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.22.5, with libpcap 1.0.0, with libz 1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, without c-ares, without ADNS, without Lua, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, without GeoIP. Running on Linux 2.6.32-131.6.1.el6.x86_64, with libpcap version 1.0.0, GnuTLS 2.8.5, Gcrypt 1.4.5. Built using gcc 4.4.5 20110214 (Red Hat 4.4.5-6). ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how to use tshark and *not* create a capture file Sean Hennessey (Dec 08)
- Re: how to use tshark and *not* create a capture file Guy Harris (Dec 08)