Wireshark mailing list archives
Re: Possible New Option for Tshark?
From: Mark Landriscina <mlandri1 () jhu edu>
Date: Sun, 24 Oct 2010 10:33:57 -0400
Using -T with pdml/psml would probably be the best approach if you want text output. However, if that doesn't work for you, then you could consider doing what some programs like SCAPY do. Save your packets in a temp pcap file and pass the file name to your tshark child process when you are spawning it. When tshark finishes reading all the packets in your temp file and writes all the dissection data to wherever you are sending it (assuming a pipe), tshark will close and your read will stop blocking. If you want to dissect more packets later on, just respawn another tshark child process. I've done something similar in Python and it works just fine. If you know Python, download and take a look at SCAPY's wireshark function. Regards, Mark On Oct 23, 2010, at 2:49 AM, Guy Harris wrote:
On Oct 22, 2010, at 9:43 PM, Stephen Fisher wrote:On Thu, Oct 21, 2010 at 03:29:36PM -0500, Craig Votava wrote:I wrote a Perl script that feeds pcap data to an instance of tshark running in a child process, then takes the decoded output to present to the user. The problem is that I don't know when tshark is done sending output back to me.How about using "pdml" or "psml" with the -T option....especially given that the default ("-T text") output of TShark is designed for humans, not programs, to read. If your program can read it, great, but if it's easier for it to read PSML or PDML.... (Yes, I know about the UNIX philosophy with respect to program output. At times, it can lead to output that's suboptimal for humans to read but not *quite* as parsable by software as one might like, i.e. it can sacrifice human readability without gaining sufficient program readability to make up for it - sometimes you might as well just have two separate formats and be done with it.) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Possible New Option for Tshark? Craig Votava (Oct 22)
- Re: Possible New Option for Tshark? Stephen Fisher (Oct 22)
- Re: Possible New Option for Tshark? Guy Harris (Oct 22)
- Re: Possible New Option for Tshark? Mark Landriscina (Oct 24)
- Re: Possible New Option for Tshark? Guy Harris (Oct 22)
- <Possible follow-ups>
- Re: Possible New Option for Tshark? Craig Votava (Oct 26)
- Re: Possible New Option for Tshark? Stephen Fisher (Oct 26)
- Re: Possible New Option for Tshark? Stephen Fisher (Oct 22)