On Aug 31, 2017, at 11:09 AM, Jeff Morriss <[email protected]> wrote:
> A counter argument to this would be that there are some advantages to not
> using a (temporary) file as the buffer packets.
For Wireshark, you have no alternative, as packets aren't processed only once.
For TShark with -2, the same applies.
TShark with one pass is the one place where you wouldn't want a temporary file.
And the current scheme we have for extcap involves a temporary file, as the
extcap programs talk to dumpcap, which always writes temporary files.
So, if we want to get rid of the temporary file for one-pass TShark (which
would probably be a good idea), what we'd want to do is have extcap piping
packets directly to TShark. If we can also have TShark directly capturing
(with a libpcap that does its own privilege separation), completely removing
dumpcap:
one-pass TShark would read packets from a pcap_t or a pipe, writing to
a file *if* asked to do so, and dissecting packets *if* asked to do so;
two-pass TShark would read packets from a pcap_t or a pipe, writing to
a file unconditionally, dissecting the packets but not printing anything and,
when the capture is complete, going back and re-dissecting the packets in the
file and printing the results.
Wireshark would, in this world, read packets from a pcap_t or a pipe, writing
to a file unconditionally, and adding them to its packet list, but not
displaying the results of that dissection (not generating columns or a protocol
tree); the packet list and packet details panes would display stuff based on a
subsequent dissection (so it shows the result of dissections *after* the first
pass).
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
