ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-users: [Wireshark-users] The file "/tmp/etherXXXXnFYKCC" could not be opened: Uncompres

From: Oguz Yilmaz <oguzyilmazlist@xxxxxxxxx>
Date: Sun, 7 Mar 2010 19:35:31 +0200
Hi,

I am planning to use tshark for continuous operations. Tshark is set
to directly sniff the ethernet. So it runs dumpcap. In the /tmp/,
there are lots of files named etherXX****. When the tmp was full,
tshark has exit with the message:

tshark: The file "/tmp/etherXXXXyH7Hcs" could not be opened:
Uncompression error: buffer error.
tshark: Child capture process died: Broken pipe

The command was

tshark -i br0 -f "(port 110)" -R 'pop.request.parameter contains
"user"' >> /var/log/logger/pop3

and the processes created were:

28894 pts/4    S+     0:00 tshark -i br0 -f (port 110) or (vlan and
port 110) -R pop.request.parameter contains "user"
28895 pts/4    S+     0:00 /usr/sbin/dumpcap -i br0 -Z none -f (port
110) or (vlan and port 110)

OS is Centos EL 5.

My problem is:
- Is there any way to dump without creating a temporary file. I do not
want to tackle with filling up some partition. What do you suggest for
filling the /tmp up. Killing tshark, cleaning /tmp and restarting
tshark?
- While tshark process prolonged, shall the process need more memory?
If so, I should stop and start in some intervals.

Oguz.