Hi,
I am planning to use tshark for continuous operations. Tshark is set
to directly sniff the ethernet. So it runs dumpcap. In the /tmp/,
there are lots of files named etherXX****. When the tmp was full,
tshark has exit with the message:
tshark: The file "/tmp/etherXXXXyH7Hcs" could not be opened:
Uncompression error: buffer error.
tshark: Child capture process died: Broken pipe
The command was
tshark -i br0 -f "(port 110)" -R 'pop.request.parameter contains
"user"' >> /var/log/logger/pop3
and the processes created were:
28894 pts/4 S+ 0:00 tshark -i br0 -f (port 110) or (vlan and
port 110) -R pop.request.parameter contains "user"
28895 pts/4 S+ 0:00 /usr/sbin/dumpcap -i br0 -Z none -f (port
110) or (vlan and port 110)
OS is Centos EL 5.
My problem is:
- Is there any way to dump without creating a temporary file. I do not
want to tackle with filling up some partition. What do you suggest for
filling the /tmp up. Killing tshark, cleaning /tmp and restarting
tshark?
- While tshark process prolonged, shall the process need more memory?
If so, I should stop and start in some intervals.
Oguz.
