On Sun, Dec 29, 2013 at 03:41:05AM -0800, Guy Harris wrote: > > On Dec 18, 2013, at 4:46 AM, Matthias Lang <wiresh...@matthias.fastmail.fm> > wrote: > > > 1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't > > allowed. But it actually works fine. Manpage says: > > > > | =item -r E<lt>infileE<gt> > > | > > | Read packet data from I<infile>, can be any supported capture file > > format > > | (including gzipped files). It's B<not> possible to use named pipes > > | or stdin here! > > > > Here's what happens, i.e. it works just fine: > > That text might have been historically correct; some changes have been made > to libwiretap to attempt to make it work, at least with some capture file > formats: > [...] > Fortunately, both pcap and pcap-ng formats have magic numbers near the > beginning, and their open routines are called before other ones (as they're > the native formats for Wireshark), so reading pcap or pcap-ng files from a > pipe will probably work (although the pcap file reader does some additional > reading to try to handle some non-standard pcap formats, and if *that* reads > more than will fit in a buffer, the pcap-ng reader won't get to read the file > as the seek-to-the-beginning will fail on a pipe). > > So it's more like "it might, or might not, be possible to read from a pipe > here, depending on the file type and the contents of the file".
It doesn't always work with pcap-ng, for example check bug #9533 [1]. [1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9533 Kuba. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
