3

I am using TShark command line in order to start new capture. If I use this command tshark.exe -w C:\test.pcap -i (my interface number) I save the capture on my hard drive and this is what need, but the output of this command shows the number of packets received, number that is updating all the time and this output I cannot get.

With this command: tshark.exe -i (my interface number) I can see the packet details, and I can get the process output in order to show it on my form (win form), and until now I could not find any command that would show me the packet details and save the capture file on my hard drive. If I use this command: tshark.exe -i (my interface number) -w C:\test.pcap I can save the capture but the output is like in the first example without the packet details. Maybe someone can help me with this?

Dialecticus
  • 16,400
  • 7
  • 43
  • 103
Dana Yeger
  • 617
  • 3
  • 9
  • 26

2 Answers2

3

tshark seems to be "tcpdump for windows"

you've got 2 options

1: modify tshark for your purpose (you'll probably need to know how to program in C)

2: write the raw output to a pipe and TEE it to a file and to your application. (or have your application read the pipe ans write the file)

user340140
  • 628
  • 6
  • 10
  • How would you do option 2? I've tried, but with no luck: http://stackoverflow.com/questions/26177333/capturing-tshark-standard-output-with-popen-in-c – nephewtom Oct 06 '14 at 12:23
2

Use the -V flag.

This enables verbose mode.

I would recommend this along with -x depending on the intensity and level of logging required.

Mike Mackintosh
  • 13,917
  • 6
  • 60
  • 87
  • `tshark.exe -i (int_number) -V -x -w C:\test.pcap` should do the trick. Just tried it out on a Windows XP machine and worked. – Mike Mackintosh Sep 26 '12 at 21:46
  • first of all thanks, now i can see that the output of this command is all the packet details and only the ip and the protocol, is it possibly this output: 1.343007 192.168.0.100 -> 69.169.160.101 UDP 62 Source port: 62587 Destination port: 49500 without all the details ? – Dana Yeger Sep 26 '12 at 21:49
  • `-x` is supposed to output the ASCII/HEX packet data. Leave off the `-V` and try again. – Mike Mackintosh Sep 26 '12 at 21:51
  • still all the details, without -V and without -x – Dana Yeger Sep 26 '12 at 21:57
  • Hmm.. strange. Are you on Win Vista+? Try `tshark.exe -i int -xqPlns 1500 > C:\text.pcap` – Mike Mackintosh Sep 26 '12 at 22:07
  • i am with Windows 7, with this command i cannot see any packets – Dana Yeger Sep 26 '12 at 22:20
  • Ill see if i can get a hold of a winodws 7 box and test it out. The above shows the packet flow including HEX and ASCII decodes, etc.. I'll get back to you in a bit. – Mike Mackintosh Sep 26 '12 at 22:46
  • maybe there is command like i am looking for with dumpcap or wireshark (also using command line) ? – Dana Yeger Sep 27 '12 at 08:13
  • It exists. Ill have my hands on a win7 box today. Standby. – Mike Mackintosh Sep 27 '12 at 11:54
  • btw, another issue that i am try to solve is find option to capture (and save the file of course) but with output of number of packet that i can see ongoing in order to update my form in the middle of the capturing – Dana Yeger Sep 27 '12 at 14:29