Reputation: 13
How to export tshark objects without stopping it
Requirement: I need to obtain files/objets of any kind that are being downloaded via my wifi interface.
I am running tshhark to listen to my wifi interface and export HTTP objects to a given directory using the following command.
tshark -i wlp4s0 --export-object "http,/tmp/tshark-objects/"
It successfully intercepts the objects but does not write them automatically in the specified path unless i manually stop tshark using "Ctrl+C".
Question: How do I export objects of any kind that are downloaded via different protocols using the same command/script.
Constraint:
I want tshark to run continuously and exporting the objects as soon as they are transmitted over the network. PS Using tshark is not mandatory for me. I can switch to some other tool if that fulfills this requirement.
Upvotes: 1
Views: 1545
Answers (2)
Reputation: 13
Ross Jacobs' answer does the main work. I used it with little tweaks as follows:
#!/bin/bash
TARGET=/tmp/tshark-dumps/unprocessed/
PROCESSED=/tmp/tshark-dumps/processed/
inotifywait -m -e "CLOSE" --format "%f" $TARGET \
| while read FILENAME
do
echo Detected $TARGET$FILENAME, processing
if [[ -f $TARGET$FILENAME ]]; then
tshark -r "$TARGET$FILENAME" -Q --export-object "http,/tmp/tshark-objects/"
mv "$TARGET$FILENAME" "$PROCESSED$FILENAME"
gzip "$PROCESSED$FILENAME"
fi
done
Upvotes: 0
Reputation: 3186
Use 2 tshark processes
The answer is that you should write and export with different tshark processes. This can be done with file rotation by creating a new file on a condition. There are a couple different options you can use:
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secs
For example, to rotate every minute, use
$ tshark -b duration:60 -w output.pcap
To export objects from new files as they appear, you need to watch the filesystem for new files. You can use inotify on linux, fswatch on osx, or similar utilities on other platforms.
Send new files to tshark for export
Here, every new file triggers a tshark export of files. Use -Q in both to prevent tshark from printing the packets in each of these incoming truncated files.
fswatch (Macos)
$ tshark -b duration:60 -w output.pcap
$ fswatch . | while read f
do tshark -r $f -Q --export-object "http,/tmp/tshark-objects/"
done
inotifywait (Linux)
$ tshark -b duration:60 -w output.pcap
$ inotifywait . -m -e "CLOSE" --format "%f" | while read f
do tshark -r $f -Q --export-object "http,/tmp/tshark-objects/"
done
Upvotes: 2
Related Questions
- The capture file appears to have been cut short in the middle of a packet - how to prevent this error?
- Automating exporting packet dissections using tshark
- tshark.exe: capture traffic without content, only headers of packets
- tshark "--export-objects" does not work, contrary to man pages
- Tshark stop capturing after few minutes although process still running
- tshark - only output application layer decode
- Is there a way to save a reassembled TCP in Wireshark
- tshark: apply filter then output a fixed number of packets
- How to capture only TCP traffic with tshark
- How can i limit the packet size when i am capturing with Tshark using command line