tshark: save packets in ring buffer files and apply display filters

Question

I need to run tshark to record packets for a long time. While saving the packets I wand to also apply display filters as they are parsed to detect errors.

Not to fill the disk and create huge files I want to use it with --ring-buffer option The problem is that tshark doesn't support to apply display-filters and to save to file in the same time.

I could use tee to pipe with tshark or tcpdump, but this doesn't work with the ring buffer files. Or to use 2 separate processes for this, but it is still the problem with the output files being created and deleted.

Is is possible to have this only with tshark? or should I just search for other tool like tee that generates the circular buffers?

thanks

Answer 1

Perhaps using a combination of tcpdump and tshark would be useful to you, as in this example?

tcpdump -i eth0 -W 10 -C 1 -w file.pcap -z tshark.sh

Contents of tshark.sh executable script:

#!/bin/sh
echo "Post processing $1"
tshark -Y "some display filter" -r $1
echo ""

After each file has reached its size limit, the -z postrotate command will be called, and tshark will be able to post-process the file. This isn't real-time per se, as there will be a delay before tshark runs, and it will do so on all packets in the file at once, so you'll get batches of output at a time. You can control the delay to some degree by experimenting with values passed to -C. Larger values will create bigger files but will also incur larger delays in tshark post-processing.

Ideally you could also specify tcpdump's -G rotate_seconds option, but the man page currently indicates that, "If used in conjunction with both -C and -G, the -W option will currently be ignored, and will only affect the file name." I'm not sure why that's the case, but you might consider filing a tcpdump enhancement bug request to see if someone is willing to change this behavior.

You should also be aware of Issue #1015: postrotate-command not run when tcpdump terminated.