1
votes

I'm attempting to run multiple parallel instances to tshark to comb through a large number of pcap files in a directory and copy the filtered contents to a new file. I'm running into an issue where Tshark is throwing an error on the command I'm feeding it.

It must have something to do with the way the command string is interpreted by tshark as I can copy / paste the formatted command string to the console and it runs just fine. I've tried formatting the command several ways and read threads from others who had similar issues. I believe I'm formatting correctly... but still get the error.

Here's what I'm working with:

Script #1: - filter

#Takes user arguments <directory> and <filter> and runs a filter on all captures for a given directory.
#
#TO DO:
#Add user prompts and data sanitization to avoid running bogus job.
#Add concatenation via mergecap /w .pcap suffix
#Delete filtered, unmerged files
#Add mtime filter for x days of logs
starttime=$(date)
if [$1 = '']; then echo "no directory specified, you must specify a directory (VLAN)"
else if [$2 = '']; then echo "no filter specified, you must specify a valid tshark filter expression"
     else
        echo $2 > /home/captures-user/filtered/filter-reference
        find /home/captures-user/Captures/$1 -type f | xargs -P 5 -L 1 /home/captures-user/tshark-worker
        rm /home/captures-user/filtered/filter-reference
     fi
fi
echo Start time is $starttime
echo End time is $(date)

Script #2: - tshark-worker

# $1 = path and file name

#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter=$(cat /home/captures-user/filtered/filter-reference)

#strips the directory off the current working file
file=$(sed 's/.*\///' <<< $1 )

echo $1 'is the file to run' $filter 'on.'

#runs the filter and places the filtered results in the /filtered directory
command=$"tshark -r $1 -Y '$filter' -w /home/captures-user/filtered/$file-filtered"
echo $command
$command

When I run ./filter ICE 'ip.addr == 1.1.1.1' I get the following output for each file. Note the the inclusion of == in the filter expression is not the issue, I've tried substituting 'or' and get the same output. Also, tshark is not aliased to anything, and there's no script with that name. It's the raw tshark executable in /usr/sbin.

Output:

/home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 is the file to run ip.addr == 1.1.1.1 on.

tshark -r /home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 -Y 'ip.addr == 1.1.1.1' -w /home/captures-user/filtered/ICE-2019-05-26_00:00:01-filtered

tshark: Display filters were specified both with "-d" and with additional command-line arguments.
1
Welcome to StackOverflow. Consider adding the output of what happens when $command is run. Right now it looks like we only have the output of the two echo commands (which are echoing as one would expect)noah
Thanks for the welcome.The third line is the output from $command. "tshark: Display filters were specified both with "-d" and with additional command-line arguments." It is odd becasue -d is not in the command string. I've seen posts by others reporting similar (but not exact) errors. None of their solutions have worked for me.AlwaysConfused
colons : in filenames is probably problem - try to remove them if possible or escape them \:lojza
No luck. I made a dummy directory with files absent the colons. Same result when running the script. I can copy / paste the same formatted command strings that the script creates (with colon-containing file name) and it works. The only time it's a problem is when launching the command from a script. However, I agree colons in filenames are not good practice. Unfortunately I didn't set up the environment and the script that formats the capture names. I'll ask the offending party to amend it.AlwaysConfused
Is there any chance someone else on the system aliased tshark to something with tshark -d......?noah

1 Answers

0
votes

As I mentioned in the comments, I think this is a problem with quoting and how your command is constructed due to spaces in the filter (and possibly in the file name and/or path).

You could try changing your tshark-worker script to something like the following:

# $1 = path and file name

#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter="$(cat /home/captures-user/filtered/filter-reference)"

#strips the directory off the current working file
file="$(sed 's/.*\///' <<< $1 )"

echo $1 'is the file to run' $filter 'on.'

#runs the filter and places the filtered results in the /filtered directory
tshark -r "${1}" -Y "${filter}" -w "${file}"-filtered