Wireshark automatically update output file

Question

I am using Wireshark 3.2.6 along with USBPcap. I would like to read output files that Wireshark create while capturing USB packets (.pcap) and I would like to support live-reading, so basically when live capture changes output file (appends more data to it), my application will detect that file was changed and processes those additional data. That works fine, but the problem is that Wireshark updates file only when you focus on Wireshark application - when you have it on your screen and it is your actual window that you are working with. Seems like everytime Wireshar is in the background, it doesnt changes file but somehow stores data into its internal buffer, and only when you focus on Wireshark app, it will flush all data into file. This isn't good for me since I have to switch between my app and Wireshark everytime I want to see changes in file.

Is there any way how to turn this off and make Wireshark not to buffer packet data but constantly writing them to file even if Wireshark itself isnt the main window on the screen ?

Answer 1

The inotify handle is gotten when you set the output->permanent-file.

If you clobber the output file then maybe that's tripping up the GUI.

Wireshark should get inotify handle of the File->open pcap or the as put on the wireshark /tmp/my.pcap commpand line.

But it doesn't seem to. Instead the workaround is to use the File->Open Recent shortcut. i.e. press "THE MICROSOFT WINDOWS START KEY" and 0.

Answer 2

That works fine, but the problem is that Wireshark updates file only when you focus on Wireshark application - when you have it on your screen and it is your actual window that you are working with. Seems like everytime Wireshar is in the background, it doesnt changes file but somehow stores data into its internal buffer, and only when you focus on Wireshark app, it will flush all data into file.

The Wireshark program does not itself write to a live capture file; to do a capture, it runs the dumpcap program, which is part of the Wireshark distribution. That program runs in the background, writing to the capture file, and sends messages to the main Wireshark process telling it that some number of packets have been written to the file; Wireshark should, when it receives one of those messages, read those packets from the file and update the display.

If the file isn't getting written to by dumpcap if Wireshark isn't in the foreground, that's a bug, and you should report it as an issue on the Wireshark issues list.

Answer 3

You can set an output file with both Wireshark and tshark. Both solutions are included to give you more leeway in triggering your capture.

The behavior you describe where when Wireshark isn't the focused window, it doesn't write packets is not something that I can replicate on my Windows machine. If you can replicate this bug, you may want to ask on ask.wireshark.org.

Wireshark

Using Wireshark 3.4.5

Set the capture file with Capture > Options > Capture to a permanent file.

tshark

Use tshark, the command line equivalent of Wireshark, instead. You may or may not have it installed, depending on your installation. You can write to a file like so:

tshark -w my_live_capture.pcapng

Once you've started this capture, you should be able to enter my_live_capture.pcapng into your application. tshark will continually update this file until you kill the capture.

You can verify this on WSL (tailing files in powershell is a little more difficult) like so:

tail -f ---disable-inotify temp.pcap | tshark -r -

Note: ---disable-inotify is required for WSL tail per https://github.com/microsoft/WSL/issues/3942.

You may also want to see whether dumpcap better suits your needs instead because tshark has ~0.2% packet loss by comparison. tshark (and Wireshark) call dumpcap in order to capture.