≡ Menu

How to Use Wireshark Tshark to Specify File, Time, Buffer Capture Limits

This tutorial explains few practical and useful scenarios in using the tshark command.

You’ll understand how to auto-save captures to multiple files, auto-save captures based on time limits, specify your own buffer size for capture, extract specific fields from the capture, and display statistics for a specific protocol from a capture.

1. Auto-save Captures to Multiple Files

For example on your production server, you want to capture traffic data for an extended period of time. You like to use these captures later to analyze the data.

In that situation, instead of storing all the outputs in a single file, you may want to automatically break down the captures into multiple files based on a size that you specify.

The following example will capture the network traffic to 20 files, each sized 100 KB, and then the capture will stop automatically.

# tshark -b filesize:100 -a files:20 -w temp.pcap 
Running as user "root" and group "root". This could be dangerous. 
Capturing on eth0 
28 

# ls -lrt 
total 12 
-rw------- 1 root root 1088 Apr 10 16:02 capture_00001_20140410160213.pcap 
-rw------- 1 root root 1088 Apr 10 16:02 capture_00002_20140410160215.pcap

In the above:

  • -b is the ring buffer option
  • filesize:100 indicates that the maximum size of the output capture file is 100 KB
  • files:20 indicates that the total number of output files that should be created is 20
  • -a indicates auto-stop

2. Auto-save Captures Based on Time Limit

The following example will capture the network traffic to multiple files. But, it will switch to new files when file size reaches 10240 KB or when 1 second is elapsed. You can use auto-stop conditions accordingly.

# tshark -b filesize:10240 -b duration:1 -w temp.pcap 
Running as user "root" and group "root". This could be dangerous. 
Capturing on eth0 
34 

# ls -lrt 
-rw------- 1 root root 1863 Apr 10 16:13 temp_00001_20140410161312.pcap 
-rw------- 1 root root 1357 Apr 10 16:13 temp_00002_20140410161313.pcap 
-rw------- 1 root root 1476 Apr 10 16:13 temp_00003_20140410161314.pcap 
-rw------- 1 root root 1216 Apr 10 16:13 temp_00004_20140410161315.pcap

3. Specify Capture Buffer Size

This scenario is helpful when you are facing packet drops during capture.

In those situations, you can specify a capture buffer size in MB using -B option. The default capture size is 1MB.

This is used by the the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size.

# tshark -B 2 
2.	Running as user "root" and group "root". This could be dangerous. 
3.	Capturing on eth0 
4.	  0.000000 LannerEl_24:eb:40 -> Broadcast    ARP 60 Who has 10.30.59.101?  Tell 10.30.32.1 
5.	  0.064507 LannerEl_24:eb:40 -> Broadcast    ARP 60 Who has 10.70.11.143?  Tell 10.70.0.1 
6.	  0.067515 LannerEl_24:eb:40 -> Broadcast    ARP 60 Who has 10.70.11.143?  Tell 10.70.0.1 
7.	  0.089554 LannerEl_24:eb:40 -> Broadcast    ARP 60 Who has 10.30.50.212?  Tell 10.30.32.1 
8.	  0.183726 LannerEl_24:eb:40 -> Broadcast    ARP 60 Who has 10.30.36.86?  Tell 
10.30.32.1

4. Capture Using “decode as” option

This scenario is helpful when you need to specify how a layer type should be dissected.

This is same as wireshark “decode as” option, but sometimes specified selector value is different from the value present in packet. For example, suppose a diameter packet has source and destination port number different from 3868 (default port number), then you need to specify this value to tshark so that it can dissect it properly.

# tshark -r capture.pcap -d sctp.port==3869,diameter   
82 212.059173 192.168.105.20 -> 192.168.105.30 DIAMETER 262 cmd=Capabilities-ExchangeRequest(257) flags=R--- appl=Diameter Common Messages(0) h2h=204a16 e2e=67700000 
 83 212.059330 192.168.105.30 -> 192.168.105.20 SCTP 62 SACK 
 84 212.078804 192.168.105.30 -> 192.168.105.20 DIAMETER 294 cmd=Capabilities-ExchangeAnswer(257) flags=---- appl=Diameter Common Messages(0) h2h=204a16 e2e=67700000 
 85 212.080569 192.168.105.30 -> 192.168.105.20 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a29 e2e=63d00002 
 86 212.084960 192.168.105.20 -> 192.168.105.30 SCTP 62 SACK 
 87 212.084998 192.168.105.20 -> 192.168.105.30 DIAMETER 178 SACK cmd=Device-WatchdogAnswer(280) flags=---- appl=Diameter Common Messages(0) h2h=5542a29 e2e=63d00002 
 88 212.100324 192.168.105.30 -> 192.168.105.20 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a2a e2e=63d00003 
 89 212.101629 192.168.105.20 -> 192.168.105.30 DIAMETER 178 SACK cmd=Device-WatchdogAnswer(280) flags=---- appl=Diameter Common Messages(0) h2h=5542a2a e2e=63d00003 
 90 212.110997 192.168.105.30 -> 192.168.105.20 SCTP 62 SACK 
 91 212.119855 192.168.105.30 -> 192.168.105.20 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a2b e2e=63d00004

5. Extract Specific Fields

For example, this scenarios is helpful when you like to extracting specific fields from diameter protocol packets.

You already know how to capture data for services that runs on non-standard ports using tshark command.

Currently tshark supports this option for few set of protocols.

You can also do the same thing using -V option, and combining with a quick scripting or grep command. But, the method shown below is faster for very large files.

# tshark  -q -r capture.pcap -R diameter -z diameter,avp,257,Origin-Host 
Running as user "root" and group "root". This could be dangerous. 
frame='82' time='212.059176' src='192.168.105.20' srcport='35132' dst='192.168.105.30' dstport='3868' proto='diameter' msgnr='0' is_request='1' cmd='257' req_frame='82' ans_frame='0' resp_time='0.000000' Origin-Host='backend.eap.testbed.aaa' 
frame='84' time='212.078807' src='192.168.105.30' srcport='3868' dst='192.168.105.20' dstport='35132' proto='diameter' msgnr='0' is_request='0' cmd='257' req_frame='82' ans_frame='84' resp_time='0.019631' Origin-Host='gw.eap.testbed.aaa' 
frame='126' time='225.283773' src='192.168.105.40' srcport='2844' dst='192.168.105.30' dstport='3868' proto='diameter' msgnr='0' is_request='1' cmd='257' req_frame='126' ans_frame='0' resp_time='0.000000' Origin-Host='opendiam.eap.testbed.aaa' 
frame='130' time='225.295815' src='192.168.105.30' srcport='3868' dst='192.168.105.40' dstport='2844' proto='diameter' msgnr='0' is_request='0' cmd='257' req_frame='126' ans_frame='130' resp_time='0.012042' Origin-Host='gw.eap.testbed.aaa' 
=== Diameter Summary === 
requset count:	2 
answer count:	2 
req/ans pairs:	2

6. Display Statistics for Specific Protocol

You can also display statistics from a cpatured file for a specific protocol.

For example, the following prints the statistics from a captured file for HTTP protocol

# tshark  -q -r a.pcap -R http -z http,tree 
Running as user "root" and group "root". This could be dangerous. 

=================================================================== 
 HTTP/Packet Counter           value	        rate	     percent 
------------------------------------------------------------------- 
 Total HTTP Packets               7       0.000375                
  HTTP Request Packets            4       0.000214          57.14% 
   GET                            4       0.000214         100.00% 
  HTTP Response Packets           3       0.000161          42.86% 
   2xx: Success                   2       0.000107          66.67% 
    200 OK                        2       0.000107         100.00% 
   3xx: Redirection               1       0.000054          33.33% 
    302 Found                     1       0.000054         100.00% 
   5xx: Server Error              0       0.000000           0.00% 
  Other HTTP Packets              0       0.000000           0.00% 
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • c.popescu February 17, 2016, 4:22 am

    very interesting post.
    is there an option, in case of multiple files save, to delete the oldest file?