Wireshark-users: [Wireshark-users] how to use tshark and *not* create a capture file
I'm starting to play w/ tshark (long time tcpdump user) and have run into an interesting problem I hope has a simple solution.
I'm on a RHEL machine that sees a ton of traffic. I run tshark -a duration:600 -l -ta and pipe the output to some cuts and sorts, etc to massage the data how I want. Imagine my surprise when I get a disk alert that /tmp has filled up. Taking a peek I see a huge wiresharkXXXX..... file there. Even if I knock the time down to :60 or even run tshark w/ no -a, I'm still getting the wireshark files hanging out. I don't want any capture saved at all, unless I give it the -w option.
Doing some reading I figure it's dumpcaps fault, so I try to make a named pipe and run one command to use dumpcap to write to the named pipe and one tshark to read from, but no dice. I create the fifo and run dumpcap -p -w dmpcap and get:
The file to which the capture would be saved ("dmpcap") could not be opened: Resource temporarily unavailable.
What in the world am I messing up here? I just want the output to stdout, with no disk space used for temp files. Surely this is possible?
tshark -v
TShark 1.2.15
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.22.5, with libpcap 1.0.0, with libz 1.2.3, without
POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, without c-ares, without
ADNS, without Lua, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos,
without GeoIP.
Running on Linux 2.6.32-131.6.1.el6.x86_64, with libpcap version 1.0.0, GnuTLS
2.8.5, Gcrypt 1.4.5.
Built using gcc 4.4.5 20110214 (Red Hat 4.4.5-6).