Ethereal-dev: [Ethereal-dev] one man's dump is another man's input?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Robin L Darroch <robin@xxxxxxxxxxxxx>
Date: Sat, 23 Apr 2005 00:44:27 +0800
Hi folks,

I'm sending this query as recommended on the WishList wiki to find out whether I should (or shouldn't) add this as a wish for Ethereal. Hopefully, it's a pretty simple thing to add, but I could be overlooking something.

Essentially, my suggestion/request is to enable Ethereal to read *continuously* from a pcap file as if it were an interface. That is, new data added to the end of the pcap file is handled like new data captured from an interface. Essentially what would happen is that "tail -f dumpfile.pcap" becomes the active "interface" for Ethereal, and then it handles any data that comes in from that just like data captured from any physical interface using the parsers that are already built in for handling pcap files.

Why?  Consider the following situation:

You have a program which is able to capture data passively from wireless networks, and dump to pcap files (for the sake of argument, let's call this program KisMAC)

You wish to analyse any data that first program dumps on the fly, and use a really cool program to do that analysis (we'll call that program Ethereal)

At the moment, we do:

Program A -> pcap (continuous)
and
pcap -> Ethereal (once-off)

What would be really nice is to go:

Program A -> pcap -> Ethereal (continuous)

So... doable? Easy? Silly? Add it to the wish list? Wait 24 hours and build from SVN sources? ;)

Cheers,
Robin
--

-------------------------------------------------------------------------
 Robin L. Darroch - PO Box 2715, South Hedland WA 6722 - +61 421 503 966
      robin@xxxxxxxxxxxxx - robin@xxxxxxxxxxx - robin@xxxxxxxxxxxxx