On Jul 8, 2009, at 11:43 AM, Juan Perez wrote:
I am running tshark with the "a" and "b" flags to get a ring of 5
files, each of 100 KB of size.
tshark -i eth0 -w my-output-file -a filesize:100 -b files:5
That is working fine but I need to have the capture files in text
format, not in pcap format, for easy parsing.
Then you cannot use the "-w" flag, as that writes files out in pcap
format.
This is the only explanation I have for the "w" flag
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
The man page says
If the -w option is not specified, TShark writes to the standard
output the text of a decoded form of the packets it captures or
reads. If the -w option is specified, TShark writes to the file
specified by that option the raw data of the packets, along with the
packets' time stamps.
and
If you want to write the decoded form of packets to a file, run
TShark without the -w option, and redirect its standard output to the
file (do *not* use the -w option).
and
-w outfile
Write raw packet data to outfile or to the standard output if
outfile is '-'. NOTE: -w provides raw packet data, not text. If you
want text output you need to redirect stdout (e.g. using '>'), don't
use the -w option for this.
The usage message should be changed to indicate that "-w" causes a
binary pcap-format file to be written.
I tried using "-" but it spits the packets in weird characters to
the screen.
That's because it's writing a pcap file to the standard output, and
you're sending the standard output to your terminal/terminal window
rather than, for example, piping it to another program that reads pcap
files from the standard input.
How can keep the ringbuffer functionalty and have the files in text
format?
By modifying TShark to support such a feature; it currently doesn't
support that.
