Re: Run TShark + USBPcap forever on Windows

[Graham Bloice <graham.bloice () trihedral com>]

On 4 February 2017 at 02:44, Matthew Dierker <matthew.dierker () gmail com>
wrote:

> Hi! I'm using TShark to pipe USB packets on Windows from USBPcap to a
> Python program. TShark is run using Python's subprocess library. I'm
> having TShark echo the results to a subprocess.PIPE object as json, and
> I'm reading that in from the Python code. As far as I know, no packets are
> ever written to a file.
>
> It's all working fine, but TShark eventually decides it's time to exit,
> notated by "XXX packets captured" printed to stderr. My goal is to have
> this run indefinitely in the background, and a silent restart isn't a great
> option because of the UAC dialog that pops up each time. Any idea why
> TShark decides to exit if it isn't hitting a file limit?
>
> Sample Params: tshark.exe -i [usb interface] -x -T json -l -Y [display
> filter]
>
> Thanks!
Possibly out of memory, although I'm a little surprised that you get the
summary output if that's the case.

Neither tshark or Wireshark in general are designed for continuous capture
as they retain state and will eventually run out of memory.  I don't know
if USB traffic does have state to retain, but some empirical testing should
confirm that by inspecting memory usage.

Also, why is there a UAC prompt, no items in the Wireshark suite should
require (or be run with, as this is a security risk) administrator
privileges?


-- 
Graham Bloice

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe