A bit confused with tshark -i -
I have a pcap file with 1,177,880 records
$ capinfos pcapfile
File name: pcapfile
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Packet size limit: file hdr: 65535 bytes
Number of packets: 1177880
File size: 772514406 bytes
Data size: 753668302 bytes
Capture duration: 4800 seconds
Start time: Fri Jan 31 13:50:00 2014
End time: Fri Jan 31 15:10:00 2014
Data byte rate: 156999.79 bytes/sec
Data bit rate: 1255998.34 bits/sec
Average packet size: 639.85 bytes
Average packet rate: 245.37 packets/sec
SHA1: 1ad68104a5ea50c2392340a9e5b6f2767e6dd34f
RIPEMD160: 519962c5e8cf8f742ebceb4d06380741fcca537b
MD5: 9594d754ae507f5cbe7cb6ac43cd361a
Strict time order: False
tshark is
$ tshark -v
TShark 1.4.10
Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz, without
POSIX capabilities, without libpcre, with SMI 0.4.8, without c-ares, without
ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with
MIT Kerberos, with GeoIP.
Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1.
Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).
doing
$ tshark -r pcapfile 2>/dev/null | wc -l
1177880
Is what I expected
but
cat pcapfile | tshark -i -
6.027531 192.168.240.107 -> 192.168.2....
499 packets captured
and confirming
cat pcapfile | tshark -i - 2>/dev/null | wc -l
499
What am I doing wrong ?
Thanks
-pete
stops after 499 packets
tshark -r pcapfile | wc -l
