Wireshark mailing list archives
Re: Is it possible to do live-capture on saved pcap file ?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 1 Jun 2011 11:58:50 -0700
On Jun 1, 2011, at 11:51 AM, Alexey Eromenko wrote:
Is it possible to do live-capture on saved pcap file ? (Like I do on real interfaces) I tried: (on Wireshark 1.2) $ wireshark -S -r mycapture.pcap
"Live capture" involves dumpcap writing to a file *and* sending to Wireshark/TShark, over a pipe, "there are N more packets" messages. You would have to add to dumpcap the ability to "capture from a file" in order to do that; I infer from the "$" in the command that you're using some flavor of UN*X, so think of it as dumpcap doing the equivalent of "tail -f" on the capture file. (I don't think the "capture from a pipe" will do it - reading from a pipe, when you're at the end of the data currently written to the pipe, blocks waiting for more data to arrive, but reading from a file, when you're at the end of the file, just returns 0 bytes, so you'd have to either block (in a platform-dependent fashion) waiting for the file to be modified, or wait a short period of time and try again.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Is it possible to do live-capture on saved pcap file ? Alexey Eromenko (Jun 01)
- Re: Is it possible to do live-capture on saved pcap file ? Guy Harris (Jun 01)
- Re: Is it possible to do live-capture on saved pcap file ? Alexey Eromenko (Jun 01)
- Re: Is it possible to do live-capture on saved pcap file ? Guy Harris (Jun 01)