On Dec 18, 2013, at 4:46 AM, Matthias Lang <wiresh...@matthias.fastmail.fm> wrote:
> 3. Wireshark can read a Pcap from stdin, but not Pcap-NG. > > The following works fine: > >> ./wireshark -r /tmp/dumpcap.pcapng > > But the following gets me a "Unrecognized libpcap format" dialog box: > >> ./wireshark -k -i - < /tmp/dumpcap.pcapng > > I get the same dialog box if I do this: > >> cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe & >> wireshark -k -i /tmp/a_named_pipe That's better stated as "Wireshark can capture from a pipe if handed a pcap file, but not if handed a pcap-ng file"; Wireshark can't *read* from a pipe, but it can *capture* from a pipe and write the packets to a file (the packets *have* to be in a file in Wireshark, so that it can seek and re-read arbitrary packets). And there's currently no code in dumpcap (which is what's reading from the pipe) to handle pcap-ng files, so, no, neither Wireshark nor TShark nor dumpcap can capture from a pipe if what's being written to the pipe is a pcap-ng file. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
