Wireshark mailing list archives
Re: Adding pcap-ng pipe support to dumpcap
From: Guy Harris <guy () alum mit edu>
Date: Wed, 30 Aug 2017 18:31:43 -0700
On Aug 30, 2017, at 6:00 PM, Ed Beroset <beroset () mindspring com> wrote:
One problem is that as dumpcap is currently written, it treats files and pipes very differently.
*Files* and pipes, or *capture devices* and pipes?
but I can't help but think that the general approach you describe is the better long term strategy.
Probably. It means that the interface between *shark and extcap programs would be different - but, while having extcap programs behave like dumpcap might complicate the extcap programs (although some of the code to do that could be in a library used by dumpcap and by extcap programs), it might simplify the Wireshark capture code path.
There are some limitations. Specifically, pipes don't allow random access, so any file formats that currently require that would need to either be rewritten
Which, for at least one capture file format (Network Monitor format), would be impossible, as we don't define it, Microsoft does (and they're probably not very amenable to changing it, not least because they've deprecated NetMon in favor of Message Analyzer). The only file formats *we* control to any degree are pcap and pcapng, neither of which require random access in order to read them sequentially. If we make extcap programs work like dumpcap, the only pipe involved is the control pipe between *shark and the program - the packets are written directly to a file - but that wouldn't make any difference for those file formats, as you can't, for example, read a NetMon file until it's *completely* written, with a frame table, and you can't do that until you've written all the packets to it. However, I suspect Stephen is thinking of ERF format, which should be writable purely sequentially, so it shouldn't be a problem, whether you're writing to a pipe or to a file that's being read incrementally. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Anders Broman (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Kvidera, Evan D (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 29)
- Re: Adding pcap-ng pipe support to dumpcap Richard Sharpe (Aug 29)
- <Possible follow-ups>
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Jeff Morriss (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Guy Harris (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Ed Beroset (Aug 30)
- Re: Adding pcap-ng pipe support to dumpcap Anthony Coddington (Aug 31)
- Re: Adding pcap-ng pipe support to dumpcap Stephen Donnelly (Aug 30)