Wireshark mailing list archives
Re: newbie question, tshark input from stdin
From: "Lancashire, Pete" <Pete.Lancashire () portlandoregon gov>
Date: Mon, 3 Feb 2014 14:04:08 -0800
Ended up being /tmp was filling up from temporary wireshark files ... I will do a new build vs using the one from the distribution -pete -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Evan Huus Sent: Monday, February 03, 2014 1:44 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] newbie question, tshark input from stdin Hi Pete, The -i flag is for specifying a network interface for live capture (eg eth0) and so doesn't accept "-" to signify stdin. I'm actually a bit surprised you're getting any data at all with that command. I would expect the following to give more useful results: $ cat pcapfile | tshark -r - though tshark's ability to read from a pipe has been rather inconsistent up until recently due to the way filetypes are detected. (Tangential note: tshark 1.4.x is quite old and no longer officially supported. Upgrading is a good idea, if you are able.) Evan On Mon, Feb 3, 2014 at 4:16 PM, Lancashire, Pete <Pete.Lancashire () portlandoregon gov> wrote:
A bit confused with tshark -i - I have a pcap file with 1,177,880 records $ capinfos pcapfile File name: pcapfile File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Packet size limit: file hdr: 65535 bytes Number of packets: 1177880 File size: 772514406 bytes Data size: 753668302 bytes Capture duration: 4800 seconds Start time: Fri Jan 31 13:50:00 2014 End time: Fri Jan 31 15:10:00 2014 Data byte rate: 156999.79 bytes/sec Data bit rate: 1255998.34 bits/sec Average packet size: 639.85 bytes Average packet rate: 245.37 packets/sec SHA1: 1ad68104a5ea50c2392340a9e5b6f2767e6dd34f RIPEMD160: 519962c5e8cf8f742ebceb4d06380741fcca537b MD5: 9594d754ae507f5cbe7cb6ac43cd361a Strict time order: False tshark is $ tshark -v TShark 1.4.10 Copyright 1998-2011 Gerald Combs <gerald () wireshark org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz, without POSIX capabilities, without libpcre, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP. Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1. Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4). doing $ tshark -r pcapfile 2>/dev/null | wc -l 1177880 Is what I expected but cat pcapfile | tshark -i - 6.027531 192.168.240.107 -> 192.168.2.... 499 packets captured and confirming cat pcapfile | tshark -i - 2>/dev/null | wc -l 499 What am I doing wrong ? Thanks -pete stops after 499 packets tshark -r pcapfile | wc -l ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- newbie question, tshark input from stdin Lancashire, Pete (Feb 03)
- Re: newbie question, tshark input from stdin Evan Huus (Feb 03)
- Re: newbie question, tshark input from stdin Lancashire, Pete (Feb 03)
- Re: newbie question, tshark input from stdin Christopher Maynard (Feb 03)
- Re: newbie question, tshark input from stdin Evan Huus (Feb 03)
- Re: newbie question, tshark input from stdin Christopher Maynard (Feb 04)
- Re: newbie question, tshark input from stdin Jaap Keuter (Feb 05)
- Re: newbie question, tshark input from stdin Christopher Maynard (Feb 07)
- question about nas-eps cipher message damker (Feb 15)
- Re: question about nas-eps cipher message Pascal Quantin (Feb 15)
- Re: newbie question, tshark input from stdin Evan Huus (Feb 03)