On Dec 18, 2013, at 4:46 AM, Matthias Lang <wireshark () matthias fastmail fm> wrote:
1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
allowed. But it actually works fine. Manpage says:
| =item -r E<lt>infileE<gt>
| Read packet data from I<infile>, can be any supported capture file format
| (including gzipped files). It's B<not> possible to use named pipes
| or stdin here!
Here's what happens, i.e. it works just fine:
That text might have been historically correct; some changes have been made to libwiretap to attempt to make it work,
at least with some capture file formats:
Fortunately, both pcap and pcap-ng formats have magic numbers near the beginning, and their open routines are called
before other ones (as they're the native formats for Wireshark), so reading pcap or pcap-ng files from a pipe will
probably work (although the pcap file reader does some additional reading to try to handle some non-standard pcap
formats, and if *that* reads more than will fit in a buffer, the pcap-ng reader won't get to read the file as the
seek-to-the-beginning will fail on a pipe).
So it's more like "it might, or might not, be possible to read from a pipe here, depending on the file type and the
contents of the file".