Wireshark-users: Re: [Wireshark-users] How can I run tshark for days at a time without running ou
From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Date: Thu, 24 Jul 2008 23:05:59 +0400
On Thu, Jul 24, 2008 at 9:10 PM, Marc MERLIN <marc_ws@xxxxxxxxxxx> wrote:
> Can I either:
> 1) skip dumpcap and not have an ever growing file?
>From what I understand, dumpcap was introduced to meet this objective:
http://wiki.wireshark.org/Development/PrivilegeSeparation. tshark
spawns dumpcap, and capture is not possible without this.

> 2) tell tshark to quit when the dumpcap file is 10G and I'll restart it in
>   a loop after /bin/rm /tmp/etherXXX*
You should not have to clean-up these files manually if the processes
were terminated cleanly. There has been some discussion on this
recently, as you might have seen:
http://www.wireshark.org/lists/wireshark-users/200807/msg00127.html.
If you are also facing this issue, it probably needs to be looked into
more carefully.

>
> Or any other suggestion so that tshark doesn't eat all my disk space?
> (I read about -a capture autostop, but that seems to be if I capture to a file
> and I don't want to capture to a file, I just want pipes and real time
> processing)
Here are a few suggestions:
- you could use the -c option and restart in a loop, but you risk
losing packets between the restarts
- I don't know for sure if it is possible, but you could try the
reverse of what is mentioned in
http://wiki.wireshark.org/CaptureSetup/Pipes
- Haven't ever tried this, but maybe it is possible to use a ring
buffer with a named pipe as an output file.
(I am not quite sure if the last two options would prevent the dumpcap
file from growing though...)

Hope this helps in some way.
Abhik.