On Dec 6, 2016, at 10:12 PM, Tugrul Erdogan <h.tugrul.erdo...@gmail.com> wrote:
> There is a pcap file which stores last X seconds of packets. And with each
> X seconds of a period, a new pcap file is created.
>
> I can successfully read the initial pcap file for X seconds with "tail -n+o
> -F <filename> | tcpdump -r - -nn".
To quote the Linux man page for tail:
-n, --lines=K
output the last K lines, instead of the last 10; or use -n +K to output lines
starting with the Kth
The word "lines" appears in that text.
Pcap files do not have lines, so any program that processes a pcap file as if
it had lines in it will almost certainly do something wrong with the file.
tail -n+o
or, if this is what you really meant:
tail -n+0
processes the file it's reading as if it has lines in it, so it will almost
certainly do something wrong with the file
You could *try* doing
tail -F <filename> | tcpdump -r - -nn
but I'm not sure even *that* is guaranteed to treat the file as if it were a
binary file - which is exactly what a pcap file is.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
