Hi folks,
I'm sending this query as recommended on the WishList wiki to find
out whether I should (or shouldn't) add this as a wish for Ethereal.
Hopefully, it's a pretty simple thing to add, but I could be
overlooking something.
Essentially, my suggestion/request is to enable Ethereal to read
*continuously* from a pcap file as if it were an interface. That is,
new data added to the end of the pcap file is handled like new data
captured from an interface. Essentially what would happen is that
"tail -f dumpfile.pcap" becomes the active "interface" for Ethereal,
and then it handles any data that comes in from that just like data
captured from any physical interface using the parsers that are
already built in for handling pcap files.
Why? Consider the following situation:
You have a program which is able to capture data passively from
wireless networks, and dump to pcap files (for the sake of argument,
let's call this program KisMAC)
You wish to analyse any data that first program dumps on the fly, and
use a really cool program to do that analysis (we'll call that
program Ethereal)
At the moment, we do:
Program A -> pcap (continuous)
and
pcap -> Ethereal (once-off)
What would be really nice is to go:
Program A -> pcap -> Ethereal (continuous)
So... doable? Easy? Silly? Add it to the wish list? Wait 24 hours
and build from SVN sources? ;)
Cheers,
Robin
--
-------------------------------------------------------------------------
Robin L. Darroch - PO Box 2715, South Hedland WA 6722 - +61 421 503 966
robin@xxxxxxxxxxxxx - robin@xxxxxxxxxxx - robin@xxxxxxxxxxxxx