On Mar 23, 2009, at 9:01 PM, Chris Henderson wrote:
Tried: tshark -i eth0 -n port 68 -R 'bootp.type == 2' -o
column.format:'"Source MAC","%hs"' > /tmp/capture &
but get nothing in the file.
How long did you let it run?
ps -ef | grep shark shows tshark -i eth0
-n port 68 -R bootp.type == 2 -o column.format:"Source MAC","%hs"
pkill shark - and I get the /tmp/capture file with all the entries!
What signal does pkill send?
If it sends SIGTERM, for example, then:
1) tshark, like a lot of other programs, uses the "standard I/O"
routines (printf/fprintf, fputs, etc.) to write to the standard output;
2) the standard I/O routines are, by default, block-buffered, which
means that, if the buffer size is N bytes (N will probably be
somewhere between 4K and 8K bytes), nothing will be written to the
file until N bytes worth of output have been generated by those
routines;
3) if you terminate the process gracefully (i.e., with a signal that
it captures, such as SIGTERM), it will write out any buffered
information before exiting.
If you're just writing to a file, and have no reason to read from the
file until the program finishes, the right thing to do is not to read
from the file until the program finishes.
If you have some reason to read from the file before the program
finishes, what is the reason? The best way to handle that might be
different for different reasons. For example, if you pass tshark the
"-l" flag, it'll write out buffered information after each packet
arrives; that might be what you want, but it might also mean more
writes to the file than you want (the more stuff written per write,
and thus the fewer writes for the same amount of data written, the
lower the overhead).
