Wireshark-users: Re: [Wireshark-users] format of output file

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 8 Jul 2009 12:06:58 -0700

On Jul 8, 2009, at 11:43 AM, Juan Perez wrote:

I am running tshark with the "a" and "b" flags to get a ring of 5 files, each of 100 KB of size.

tshark -i eth0 -w my-output-file -a filesize:100 -b files:5

That is working fine but I need to have the capture files in text format, not in pcap format, for easy parsing.

Then you cannot use the "-w" flag, as that writes files out in pcap format.

This is the only explanation I have for the "w" flag

Output:
 -w <outfile|->           set the output filename (or '-' for stdout)

The man page says

If the -w option is not specified, TShark writes to the standard output the text of a decoded form of the packets it captures or reads. If the -w option is specified, TShark writes to the file specified by that option the raw data of the packets, along with the packets' time stamps.

and

If you want to write the decoded form of packets to a file, run TShark without the -w option, and redirect its standard output to the file (do *not* use the -w option).

and

	-w outfile

Write raw packet data to outfile or to the standard output if outfile is '-'. NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the -w option for this.

The usage message should be changed to indicate that "-w" causes a binary pcap-format file to be written.

I tried using "-" but it spits the packets in weird characters to the screen.

That's because it's writing a pcap file to the standard output, and you're sending the standard output to your terminal/terminal window rather than, for example, piping it to another program that reads pcap files from the standard input.

How can keep the ringbuffer functionalty and have the files in text format?

By modifying TShark to support such a feature; it currently doesn't support that.