Re: PCap-NG support in Wireshark and Tshark

[Jakub Zawadzki <darkjames-ws () darkjames pl>]

On Sun, Dec 29, 2013 at 03:41:05AM -0800, Guy Harris wrote:
> On Dec 18, 2013, at 4:46 AM, Matthias Lang <wireshark () matthias fastmail fm> wrote:
>
> > 1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
> >   allowed. But it actually works fine. Manpage says:
> >
> >    | =item -r  E<lt>infileE<gt>
> >    |
> >    | Read packet data from I<infile>, can be any supported capture file format
> >    | (including gzipped files).  It's B<not> possible to use named pipes
> >    | or stdin here!
> >
> >   Here's what happens, i.e. it works just fine:
>
> That text might have been historically correct; some changes have been made to libwiretap to attempt to make it work, 
> at least with some capture file formats:
> [...] 
> Fortunately, both pcap and pcap-ng formats have magic numbers near the beginning, and their open routines are called 
> before other ones (as they're the native formats for Wireshark), so reading pcap or pcap-ng files from a pipe will 
> probably work (although the pcap file reader does some additional reading to try to handle some non-standard pcap 
> formats, and if *that* reads more than will fit in a buffer, the pcap-ng reader won't get to read the file as the 
> seek-to-the-beginning will fail on a pipe).
>
> So it's more like "it might, or might not, be possible to read from a pipe here, depending on the file type and the 
> contents of the file".

It doesn't always work with pcap-ng, for example check bug #9533 [1].

[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9533

Kuba.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe