11# TSHARK in a container
22
3- This container starts a tshark and safes the captured packages in files. It
4- uses a ring buffer with a default file size of 1 Gigabyte and a maximum number
3+ This container starts a tshark and safes the captured packages in files. It
4+ uses a ring buffer with a default file size of 1 Gigabyte and a maximum number
55of files of 10. All files are stored in the ` /data ` directory.
66
77## Usage
@@ -23,6 +23,7 @@ These options are configurable:
2323| ` DURATION ` | ` "" ` |
2424| ` FILENAME ` | ` dump ` |
2525| ` FORMAT ` | ` pcapng ` |
26+ | ` SNAPLENGTH ` | <deactivated > |
2627
2728` IFACE ` space-separated list of interfaces tshark should listen on.
2829
@@ -34,22 +35,26 @@ be opened. The unit for this is Megabytes (1 Megabyte = 1,000,000 bytes).
3435` MAXFILENUM ` is the maximum number of files that are opened before tshark
3536starts overwriting old files one by one beginning with the first one.
3637
37- ` DURATION ` is the maximum number of seconds tshark waits until it begins to
38+ ` DURATION ` is the maximum number of seconds tshark waits until it begins to
3839write into the next file.
3940
40- The ` FILENAME ` variable sets the filename that is used. The default value is
41- ` dump ` . A number will be attached to each file (see tshark manpage for more
42- information). To dump on multiple interfaces simply add more interfaces to this
41+ The ` FILENAME ` variable sets the filename that is used. The default value is
42+ ` dump ` . A number will be attached to each file (see tshark manpage for more
43+ information). To dump on multiple interfaces simply add more interfaces to this
4344variable seperated by a whitespace (e.g. "eth0 eth1").
4445
4546` FORMAT ` sets the file-format of the written trace. Note that when you're setting
4647the ` FORMAT ` to ` pcap ` for example, the ` FILENAME ` has to be changed to ` dump.pcap ` .
4748Other formats are described in the [ official tshark documentation] ( https://www.wireshark.org/docs/man-pages/tshark.html ) .
4849
50+ ` SNAPLENGTH ` is the amount of data for each frame that is actually captured by the
51+ network capturing tool and stored into the CaptureFile. This is sometimes called PacketSlicing.
52+ By default this is turned off so large packets are not truncated by accident.
53+
4954Example:
5055
5156```
52- -> % ls -1 dump
57+ -> % ls -1 dump
5358dump_00164_20180622110637
5459dump_00165_20180622110638
5560dump_00166_20180622110639
@@ -73,13 +78,13 @@ option to read captured raw packages from a file.
7378
7479### Display Filters
7580
76- Since ` tshark ` does not allow for wireshark like filters to be applied to a
77- capture stream. And the functionality of piping to a ` tshark ` and than applying
78- a read filter is also broken (see
79- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234 ), applying wireshark
81+ Since ` tshark ` does not allow for wireshark like filters to be applied to a
82+ capture stream. And the functionality of piping to a ` tshark ` and than applying
83+ a read filter is also broken (see
84+ https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234 ), applying wireshark
8085like filters needs to be done in a second filter pass.
8186
82- This can be done with a local installed instance of ` tshark ` or using the
87+ This can be done with a local installed instance of ` tshark ` or using the
8388` tshark ` provided by the docker-pcap container:
8489
8590```
0 commit comments