Home page logo
/

wireshark logo Wireshark mailing list archives

Re: PCap-NG support in Wireshark and Tshark
From: Jakub Zawadzki <darkjames-ws () darkjames pl>
Date: Sun, 29 Dec 2013 15:11:40 +0100

On Sun, Dec 29, 2013 at 03:41:05AM -0800, Guy Harris wrote:

On Dec 18, 2013, at 4:46 AM, Matthias Lang <wireshark () matthias fastmail fm> wrote:

1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
  allowed. But it actually works fine. Manpage says:

   | =item -r  E<lt>infileE<gt>
   |
   | Read packet data from I<infile>, can be any supported capture file format
   | (including gzipped files).  It's B<not> possible to use named pipes
   | or stdin here!

  Here's what happens, i.e. it works just fine:

That text might have been historically correct; some changes have been made to libwiretap to attempt to make it work, 
at least with some capture file formats:
[...] 
Fortunately, both pcap and pcap-ng formats have magic numbers near the beginning, and their open routines are called 
before other ones (as they're the native formats for Wireshark), so reading pcap or pcap-ng files from a pipe will 
probably work (although the pcap file reader does some additional reading to try to handle some non-standard pcap 
formats, and if *that* reads more than will fit in a buffer, the pcap-ng reader won't get to read the file as the 
seek-to-the-beginning will fail on a pipe).

So it's more like "it might, or might not, be possible to read from a pipe here, depending on the file type and the 
contents of the file".

It doesn't always work with pcap-ng, for example check bug #9533 [1].

[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9533

Kuba.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault