tshark stopping criteria

3
votes

I need to stop tshark (command line equi of wireshark) after a certain condition is met.

From the tshark man pages, I found that stopping condition can be applied with respect to duration, files, file size and multiple files mode.

Is there any stopping condition I can apply through capture filter so that tshark stops capturing.

ex: Upon receiving a TCP SYN packet from a particular port number (condition applied in capture filter), tshark stops capturing.

Please answer this riddle.

1
tshark

1 Answers

0
votes

You can pipe the output to head and pick the first frame that matches your query but you also need to disable output buffering (stdbuf is part of coreutils)

e.g (Linux)

stdbuf -i0 -o0 -e0 tshark -r file.pcap -Y 'sctp.verification_tag == 0x2552' | head -1

Mac:

gstdbuf -i0 -o0 -e0 tshark -r file.pcap  -Y 'tcp.flags.syn == 1 && tcp.port == 80' | head -1