tcpdump mailing list archives
Re: reading a live pcap file in real time
From: Guy Harris <guy () alum mit edu>
Date: Tue, 3 Mar 2009 15:55:38 -0800
On Mar 3, 2009, at 11:06 AM, Guy Harris wrote:
Look at the source of the "dumpcap" program in Wireshark for an example of how to do the capture side of that. The secret is that it doesn't just write to the file and not communicate with the program on whose behalf it's capturing - every time it writes N packets to the file, it sends to Wireshark (or TShark) a message over a pipe indicating that it's written N more packets.
...and it also does an fflush() on the standard I/O stream after writing those packets out, so they're actually in the file rather than in the standard I/O stream buffer for the file, in dumpcap's address space.
In any case, don't reinvent the wheel, do what Wireshark does in this case; we (the Wireshark developers) have already spent a lot of time on that particular problem (capture program writing to a file cooperating with a GUI program reading from the file).
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- reading a live pcap file in real time Giovanni Venturi (Mar 03)
- Re: reading a live pcap file in real time Guy Harris (Mar 03)
- Re: reading a live pcap file in real time Guy Harris (Mar 03)
- <Possible follow-ups>
- reading a live pcap file in real time Giovanni Venturi (Mar 03)
- Re: reading a live pcap file in real time Guy Harris (Mar 03)