4

I'm running tshark to dump wireless traffic. I am currently running in multiple files mode, splitting output into 50MB chunks. Is there any way to also have these 50MB chunks compressed with something like gzip or lzma?

I'm aware that in single file mode I could pipe the output from tshark to gzip and then onto split, but I'd like each pcap file to be readable on it's own, without needing to decompress every part of the compressed file.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Daniel Murphy
  • 41
  • 1
  • 3

2 Answers2

1

I was looking into the same problem just now .. I don't know if you found your solution, but I end up using a linux bash script to solve this problem ..

below is the script ..

#!/bin/bash
FILENO=300 
COUNTER=0
while [  $COUNTER -lt $FILENO ]; do
    sudo tshark -i any -a duration:300 -a filesize:500000 -w - | gzip -9 -f > TRACE/trace_$COUNTER.gzip
    let COUNTER=(COUNTER+1)%FILENO
done
kasperd
  • 29,894
  • 16
  • 72
  • 122
Arianto Nugroho
  • 11
  • 1
0

Wireshark can be compiled with zlib support, so both the Wireshark graphical app and tshark commandline app can read gzip files.

Here is me capturing traffic:

# tcpdump -n -i br0 -w tcpdump.pcap
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C281 packets captured
281 packets received by filter
0 packets dropped by kernel

then compressing it:

$ gzip tcpdump.pcap 
$ ls -lgo
total 88
-rw-r--r--. 1 89875 Jul 24 22:11 tcpdump.pcap.gz

and reading directly from the compressed file:

$ tshark -nr tcpdump.pcap.gz | head -n5
1   0.000000 192.168.1.69 41342 192.168.1.1  53 DNS 75 Standard query 0x1716  A plus.google.com
2   0.004990  192.168.1.1 53 192.168.1.69 41342 DNS 251 Standard query response 0x1716  A 74.125.237.134 A 74.125.237.135 A 74.125.237.136 A 74.125.237.137 A 74.125.237.132 A 74.125.237.129 A 74.125.237.128 A 74.125.237.130 A 74.125.237.133 A 74.125.237.142 A 74.125.237.131
3   0.005274 192.168.1.69 54794 74.125.237.134 443 TCP 74 54794 > 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=612252515 TSecr=0 WS=128
4   0.024052 74.125.237.134 443 192.168.1.69 54794 TCP 74 443 > 54794 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1376 SACK_PERM=1 TSval=639245311 TSecr=612252515 WS=64
5   0.024078 192.168.1.69 54794 74.125.237.134 443 TCP 66 54794 > 443 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=612252534 TSecr=639245311
suprjami
  • 3,476
  • 20
  • 29
  • I'm aware that wireshark and tshark can read gzipped files. My question was in reference to the ability of tshark to split it's captures using the Multiple Files modes. I want each capture to be a self contained file that is also compressed, rather than compressing one large capture. – Daniel Murphy Jul 28 '14 at 09:39