Tshark closing unexpectedly due to failure reading from file

[Alastair Scott <ads () exegin com>]

Hi all,

I'm experiencing an issue where tshark is stopping unexpectedly. I have a
process streaming pcapng data over a TCP socket to tshark and using
tshark's TCP@ interface type on the command line. Most of the time
everything will be fine but every now and then tshark will stop right away
and print "0 packets captured" to stderr. This seems to occur much more
frequently when running tshark as a subprocess in a python script, however
it also occurs when launching tshark from the command line.

The bug occurs when calling the command "tshark -i TCP@127.0.0.1:19000"
from the command line. Before any packets are written to stdout, tshark.c
calls sync_pipe_stop which ends the capture session. Right before that,
inside wtap_read *err gets set to -12 which is WTAP_ERR_SHORT_READ. Looking
a little deeper, it looks like pcapng_read_block() is called from
wiretap/pcapng.c and returns PCAPNG_BLOCK_NOT_SHB, due to a short read or
EOF. This usually happens at least once every 20 to 30 attempts.

Is it possible there could be some timing problem with writes to the
/tmp/wireshark_*****.pcapng file in dumpcap getting flushed and then
reading from tshark? If not, what are some other possible reasons this
could be occuring?

I've posted an in-depth description of the issue with logs and pcap's
attached here: https://gitlab.com/wireshark/wireshark/-/issues/17013

Regards,

Alastair

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe