Wireshark mailing list archives
Re: Adding pcap-ng pipe support to dumpcap
From: Guy Harris <guy () alum mit edu>
Date: Thu, 31 Aug 2017 11:32:05 -0700
On Aug 31, 2017, at 11:09 AM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:
A counter argument to this would be that there are some advantages to not using a (temporary) file as the buffer packets.
For Wireshark, you have no alternative, as packets aren't processed only once. For TShark with -2, the same applies. TShark with one pass is the one place where you wouldn't want a temporary file. And the current scheme we have for extcap involves a temporary file, as the extcap programs talk to dumpcap, which always writes temporary files. So, if we want to get rid of the temporary file for one-pass TShark (which would probably be a good idea), what we'd want to do is have extcap piping packets directly to TShark. If we can also have TShark directly capturing (with a libpcap that does its own privilege separation), completely removing dumpcap: one-pass TShark would read packets from a pcap_t or a pipe, writing to a file *if* asked to do so, and dissecting packets *if* asked to do so; two-pass TShark would read packets from a pcap_t or a pipe, writing to a file unconditionally, dissecting the packets but not printing anything and, when the capture is complete, going back and re-dissecting the packets in the file and printing the results. Wireshark would, in this world, read packets from a pcap_t or a pipe, writing to a file unconditionally, and adding them to its packet list, but not displaying the results of that dissection (not generating columns or a protocol tree); the packet list and packet details panes would display stuff based on a subsequent dissection (so it shows the result of dissections *after* the first pass). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Adding pcap-ng pipe support to dumpcap, (continued)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Anders Broman (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Kvidera, Evan D (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Jeff Morriss (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)