Is your feature request related to a problem? Please describe.

I am using termshark with traffic generation which at times can generate up 100's of Gbps, I cannot have termshark create pcap files after every capture. I find myself having to delete the .pcap files after every run. I cant seem to find a way to make termshark not create a pcap file, or in the very least, discard the created pacp after quitting the program.

Describe the solution you'd like

Maybe a flag when starting termshark to tell it not to create a pcap when quting. Or a secondary quit option to get rid of / delete the pcap after exiting the program.

This is a duplicate of #86. I've renamed that issue for clarity. I agree with this sentiment and it's my largest pet peeve with termshark right now.

Sorry guys 😞

I have a fix for this in a branch I haven't merged yet. I'll update it so you can try it out. It's controlled by a setting in the config file, ~/.config/termshark/termshark.toml:

[main]
  disk-cache-size-mb = 250

This will limit the size of the pcap cache directory so that it is no larger than 250MB. I didn't want to slow down the startup or shutdown sequence of termshark, so the way I implemented it is as follows:

• when termshark starts, it sets an inactivity timer for 5s. User interaction resets the timer.
• when the timer goes off, termshark will walk the ~/.cache/termshark/pcaps directory, oldest files first
• pcap files are deleted until the size of the directory is <= the setting in the toml
• this sequence runs no more than once per invocation of termshark

Would that work? It doesn't ask for any kind of confirmation before deleting files. Here are the test binaries:

Linux: https://storage.googleapis.com/termshark/aa22e3620aa39c07165f81b1c65a3e642055bf84/termshark_linux_amd64/termshark

macOS: https://storage.googleapis.com/termshark/aa22e3620aa39c07165f81b1c65a3e642055bf84/termshark_darwin_amd64/termshark

Windows: https://storage.googleapis.com/termshark/aa22e3620aa39c07165f81b1c65a3e642055bf84/termshark_windows_amd64/termshark.exe

I appreciate that you're putting effort into this, but the default doesn't make sense given how tshark/wireshark work (which people will use to base their expectations of behavior).

tshark's behavior here is:

1. No save file specified (tshark): Output text to console and save file to /tmp (or whatever folder is temp in preferences. This temp folder can be found with tshark -G folders | grep Temp: | awk '{ print $2 }')
2. Save file specified (tshark -w temp.pcap): Save file locally to the specified file

Wireshark additionally will ask with a modal if you want to discard the current set of packets when quitting.

I would prefer these three behaviors.

Thanks for the feedback :-) I will make adjustments and send you another attempt soon. This is still the top termshark priority for me.

Hi @davehouser1 and @pocc ,

I've pushed a prototype implementation to the wflag branch. If you have time, could you give it a try and let me know if it's up to scratch? Here's how it works. Termshark now takes a -w flag:

Application Options:
  ...
  -w=<outfile>                                               Write raw packet data to outfile.

If you invoke termshark like this:

$ termshark -i eth0 -w foo.pcap

then the UI will launch as usual but termshark will save the capture to foo.pcap instead of e.g. ~/.cache/termshark/pcaps/eth0-xyz.pcap. The argument to -w has to be a file and not something like stdout because termshark repeatedly re-reads the file during its operation.

If you invoke termshark on an interface but without -w, then termshark's behavior depends on these new config variables:

• main.always-keep-pcap (default: false) - unless this is true, when you quit termshark after reading from an interface, termshark will prompt you to see whether you want to keep or delete the capture file.

• main.use-tshark-temp-for-pcap-cache (default: false) - if true, termshark will write the capture file to tshark's configured Temp directory.

• main.pcap-cache-dir (string) - if set, and if main.use-tshark-temp-for-pcap-cache is false, termshark will write the capture file to this directory.

If you invoke termshark on an interface and use the -w flag, termshark will not prompt you when it terminates, and will keep the capture file.

Here are links to the test binaries:

Linux: https://storage.googleapis.com/termshark/484db5c21abb13539ef6eb2b48ab533bc0cc9c79/termshark_linux_amd64/termshark

macOS: https://storage.googleapis.com/termshark/484db5c21abb13539ef6eb2b48ab533bc0cc9c79/termshark_darwin_amd64/termshark

Windows: https://storage.googleapis.com/termshark/484db5c21abb13539ef6eb2b48ab533bc0cc9c79/termshark_windows_amd64/termshark.exe

Thanks Graham for the effort you pit into this fix!

I have tested this on Windows/Powershell and I see the following behavior:

• No -w results in a modal asking where to save it
• -w results in file being saved where expected
• Both locations (specified and temp) contain the expected packet captures

Do you think it would be good to have a "save as" option as well? That way, they don't have to go rooting around %APPDATA% or some other temp folder to find it.

Hi @pocc - yes, that's a good idea. I'd thought before about a load-pcap dialog too, and shied away in the short term because I knew I'd need to build a file selector widget and that seemed like a larger task. Then I added the command-line and the load command in there seemed to do the job. Maybe I should just bite the bullet and make a file selector...

In terms of usability, I would model it on Wireshark, which does have a file selector for Save As.

In the interim, though, I think it's fine to close this issue and open another one for Save As as a feature request.