Wireshark-users: Re: [Wireshark-users] Reading tcpdump files while still sniffing
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Tue, 11 Jul 2006 10:16:59 +0800


Dominik Herrmann wrote:
Hi all,

I am trying to access a tcpdump file created by
tcpdump -i /dev/eth0 -w dumpfile
with wireshark WHILE the dump is still running (and the file keeps growing).

Can wireshark "attach" to this file and report the packets as they are
written to the dumpfile?

Unfortunately, no. (I say unfortunately because I, too, would like that functionality.) It may be possible to modify Wireshark to do that but so far no one has attempted or completed that task.

Background: I want to set up 2-3 instances of Wireshark which read the
dumpfile but display only parts of the traffic by employing filters.

Are there other solutions?

Hmmm, not that I can think of (other than doing all your filtering after the capture is done which is obviously not what you want).