Wireshark mailing list archives
Re: Display dumpcap in real time
From: Guy Harris <guy () alum mit edu>
Date: Tue, 1 Nov 2011 15:17:55 -0700
On Nov 1, 2011, at 2:19 PM, Chip wrote:
Thanks Guy, that's perfect information.
Note, BTW, that if you're running tcpdump without -w - as you presumably would be doing as per "I think I will go with tcpdump -S as really I am only caring about the connection information and not raw packet information" - note that neither -C nor -G will have any effect. Just as the -a/-b ring-buffer stuff in TShark only affects a pcap or pcap-ng raw capture file, not the dissected output of TShark, -C and -G only affect a pcap raw capture file, not the dissected output of tcpdump. tcpdump, when run without -w, just writes the dissected information to the standard output. If you want the dissected information to show up on the screen *and* get written to a file, you'd have to pipe its output to another program (which means tcpdump's standard output would be a pipe, causing it to buffer output at the block level rather than the line level, so some screen output would get delayed); if you want it written to a rotating sequence of files, you'd need to have the program that reads from the pipe be one that supports that sort of ring buffer. There are probably beefed-up versions of "tee" that can do that, but, if so, I'm not familiar with them. Note that capture filters and snapshot lengths work in tcpdump as they do in dumpcap/Wireshark/TShark (or put it the other way around if you want to be historically accurate). ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Display dumpcap in real time Chip (Nov 01)
- Re: Display dumpcap in real time Guy Harris (Nov 01)
- Display dumpcap in real time Chip (Nov 01)
- Re: Display dumpcap in real time Guy Harris (Nov 01)
- Re: Display dumpcap in real time Chip (Nov 01)
- Re: Display dumpcap in real time Guy Harris (Nov 01)
- Re: Display dumpcap in real time Chip (Nov 01)
- Re: Display dumpcap in real time Guy Harris (Nov 01)
- Display dumpcap in real time Chip (Nov 01)
- Re: Display dumpcap in real time Guy Harris (Nov 01)
- Message not available
- Re: Display dumpcap in real time Martin Visser (Nov 01)
- Re: Display dumpcap in real time Chip (Nov 01)