Ended up being /tmp was filling up from temporary wireshark files ...
I will do a new build vs using the one from the distribution
-pete
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Evan Huus
Sent: Monday, February 03, 2014 1:44 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie question, tshark input from stdin
Hi Pete,
The -i flag is for specifying a network interface for live capture (eg
eth0) and so doesn't accept "-" to signify stdin. I'm actually a bit surprised you're getting any data at all with that command. I would expect the following to give more useful results:
$ cat pcapfile | tshark -r -
though tshark's ability to read from a pipe has been rather inconsistent up until recently due to the way filetypes are detected.
(Tangential note: tshark 1.4.x is quite old and no longer officially supported. Upgrading is a good idea, if you are able.)
Evan
On Mon, Feb 3, 2014 at 4:16 PM, Lancashire, Pete <Pete.Lancashire@xxxxxxxxxxxxxxxxxx> wrote:
> A bit confused with tshark -i -
>
> I have a pcap file with 1,177,880 records
>
> $ capinfos pcapfile
> File name: pcapfile
> File type: Wireshark/tcpdump/... - libpcap
> File encapsulation: Ethernet
> Packet size limit: file hdr: 65535 bytes
> Number of packets: 1177880
> File size: 772514406 bytes
> Data size: 753668302 bytes
> Capture duration: 4800 seconds
> Start time: Fri Jan 31 13:50:00 2014
> End time: Fri Jan 31 15:10:00 2014
> Data byte rate: 156999.79 bytes/sec
> Data bit rate: 1255998.34 bits/sec
> Average packet size: 639.85 bytes
> Average packet rate: 245.37 packets/sec
> SHA1: 1ad68104a5ea50c2392340a9e5b6f2767e6dd34f
> RIPEMD160: 519962c5e8cf8f742ebceb4d06380741fcca537b
> MD5: 9594d754ae507f5cbe7cb6ac43cd361a
> Strict time order: False
>
> tshark is
>
> $ tshark -v
> TShark 1.4.10
>
> Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
> This is free software; see the source for copying conditions. There is
> NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz,
> without POSIX capabilities, without libpcre, with SMI 0.4.8, without
> c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6,
> with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP.
>
> Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1.
>
> Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).
>
> doing
> $ tshark -r pcapfile 2>/dev/null | wc -l
> 1177880
>
> Is what I expected
>
> but
> cat pcapfile | tshark -i -
>
> 6.027531 192.168.240.107 -> 192.168.2....
> 499 packets captured
>
> and confirming
>
> cat pcapfile | tshark -i - 2>/dev/null | wc -l
> 499
>
> What am I doing wrong ?
>
> Thanks
>
> -pete
>
>
>
>
> stops after 499 packets
>
> tshark -r pcapfile | wc -l
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
