Allow the user to choose if a pcap should be saved after exiting termshark
davehouser1 opened this issue · 9 comments
Is your feature request related to a problem? Please describe.
I am using termshark with traffic generation which at times can generate up 100's of Gbps, I cannot have termshark create pcap files after every capture. I find myself having to delete the .pcap files after every run. I cant seem to find a way to make termshark not create a pcap file, or in the very least, discard the created pacp after quitting the program.
Describe the solution you'd like
Maybe a flag when starting termshark to tell it not to create a pcap when quting. Or a secondary quit option to get rid of / delete the pcap after exiting the program.
This is a duplicate of #86. I've renamed that issue for clarity. I agree with this sentiment and it's my largest pet peeve with termshark right now.
Sorry guys 😞
I have a fix for this in a branch I haven't merged yet. I'll update it so you can try it out. It's controlled by a setting in the config file, ~/.config/termshark/termshark.toml
:
[main]
disk-cache-size-mb = 250
This will limit the size of the pcap cache directory so that it is no larger than 250MB. I didn't want to slow down the startup or shutdown sequence of termshark, so the way I implemented it is as follows:
- when termshark starts, it sets an inactivity timer for 5s. User interaction resets the timer.
- when the timer goes off, termshark will walk the
~/.cache/termshark/pcaps
directory, oldest files first - pcap files are deleted until the size of the directory is <= the setting in the toml
- this sequence runs no more than once per invocation of termshark
Would that work? It doesn't ask for any kind of confirmation before deleting files. Here are the test binaries:
I appreciate that you're putting effort into this, but the default doesn't make sense given how tshark/wireshark work (which people will use to base their expectations of behavior).
tshark's behavior here is:
- No save file specified (
tshark
): Output text to console and save file to /tmp (or whatever folder is temp in preferences. This temp folder can be found withtshark -G folders | grep Temp: | awk '{ print $2 }'
) - Save file specified (
tshark -w temp.pcap
): Save file locally to the specified file
Wireshark additionally will ask with a modal if you want to discard the current set of packets when quitting.
I would prefer these three behaviors.
Thanks for the feedback :-) I will make adjustments and send you another attempt soon. This is still the top termshark priority for me.
Hi @davehouser1 and @pocc ,
I've pushed a prototype implementation to the wflag branch. If you have time, could you give it a try and let me know if it's up to scratch? Here's how it works. Termshark now takes a -w
flag:
Application Options:
...
-w=<outfile> Write raw packet data to outfile.
If you invoke termshark like this:
$ termshark -i eth0 -w foo.pcap
then the UI will launch as usual but termshark will save the capture to foo.pcap
instead of e.g. ~/.cache/termshark/pcaps/eth0-xyz.pcap
. The argument to -w
has to be a file and not something like stdout because termshark repeatedly re-reads the file during its operation.
If you invoke termshark on an interface but without -w
, then termshark's behavior depends on these new config variables:
-
main.always-keep-pcap
(default: false) - unless this is true, when you quit termshark after reading from an interface, termshark will prompt you to see whether you want to keep or delete the capture file. -
main.use-tshark-temp-for-pcap-cache
(default: false) - if true, termshark will write the capture file to tshark's configuredTemp
directory. -
main.pcap-cache-dir
(string) - if set, and ifmain.use-tshark-temp-for-pcap-cache
is false, termshark will write the capture file to this directory.
If you invoke termshark on an interface and use the -w
flag, termshark will not prompt you when it terminates, and will keep the capture file.
Here are links to the test binaries:
Thanks Graham for the effort you pit into this fix!
I have tested this on Windows/Powershell and I see the following behavior:
- No -w results in a modal asking where to save it
- -w results in file being saved where expected
- Both locations (specified and temp) contain the expected packet captures
Do you think it would be good to have a "save as" option as well? That way, they don't have to go rooting around %APPDATA% or some other temp folder to find it.
Hi @pocc - yes, that's a good idea. I'd thought before about a load-pcap dialog too, and shied away in the short term because I knew I'd need to build a file selector widget and that seemed like a larger task. Then I added the command-line and the load command in there seemed to do the job. Maybe I should just bite the bullet and make a file selector...
In terms of usability, I would model it on Wireshark, which does have a file selector for Save As
.
In the interim, though, I think it's fine to close this issue and open another one for Save As as a feature request.