On Sun, Dec 29, 2013 at 03:41:05AM -0800, Guy Harris wrote:
>
> On Dec 18, 2013, at 4:46 AM, Matthias Lang <wireshark@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> > 1. The manpage (tshark.pod) for 'tshark' says reading from stdin isn't
> > allowed. But it actually works fine. Manpage says:
> >
> > | =item -r E<lt>infileE<gt>
> > |
> > | Read packet data from I<infile>, can be any supported capture file format
> > | (including gzipped files). It's B<not> possible to use named pipes
> > | or stdin here!
> >
> > Here's what happens, i.e. it works just fine:
>
> That text might have been historically correct; some changes have been made to libwiretap to attempt to make it work, at least with some capture file formats:
> [...]
> Fortunately, both pcap and pcap-ng formats have magic numbers near the beginning, and their open routines are called before other ones (as they're the native formats for Wireshark), so reading pcap or pcap-ng files from a pipe will probably work (although the pcap file reader does some additional reading to try to handle some non-standard pcap formats, and if *that* reads more than will fit in a buffer, the pcap-ng reader won't get to read the file as the seek-to-the-beginning will fail on a pipe).
>
> So it's more like "it might, or might not, be possible to read from a pipe here, depending on the file type and the contents of the file".
It doesn't always work with pcap-ng, for example check bug #9533 [1].
[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9533
Kuba.
