Wireshark · Ethereal-dev: Re: [Ethereal-dev] Feature proposal: read capture from a spawned process

Ethereal-dev: Re: [Ethereal-dev] Feature proposal: read capture from a spawned process

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 01 Aug 2005 10:16:59 -0700

Thomas Steffen wrote:

Ethereal should be able to spawn a child process, and read libpcap
formated capture data from the stdout of that process.

It can already do the latter, but you have to manually create a FIFOfile and run the other process with its standard output redirected tothe file; the former is a convenience feature.

1. Do we need a checkbox "spawn child process", or do we want a magic
character like '|' at the start of the file name to trigger this
feature? For security reasons I would propose the former, although it
is more work.

I'm not sure why the former is more secure - I don't see why clicking acheckbox is more safe than typing a "|". We already do special hacks toimplement the "read from a FIFO" feature.


(BTW, with this feature, is the "read from a FIFO" feature still useful?)

Another question, though, is which of those is better from a UIperspective. "|" would probably be very obvious to those experiencedwith UN*X at the command line (although one might argue that the "|"would belong at the *end* of the line, as you're piping *from* thecommand *to* Ethereal), but it might not be as familiar to Windows users(although maybe command-line users *might* think of it, given thatWindows also supports piping on the command line) or to UN*X users lessfamiliar with the command line.

2. I imagine there would be problems with buffering. Any easy way to
solve them? ssh -t usually works for me, but from a technical
perspective that seems very inefficient.

Buffering is an issue on the send side, so I'm not sure there's any wayto solve it in Ethereal. It could be solved *for the case whereTethereal is the only program in the pipeline* by adding a flag toTethereal to cause it to "fflush()" the standard output for each packetor each batch of packets - the latter requires a change to the main loopto use pcap_dispatch() rather than pcap_loop(), so that batch boundariescan be seen. A similar option could be added to tcpdump.


Netcat appears to have no option to control *its* buffering.

Follow-Ups:
- Re: [Ethereal-dev] Feature proposal: read capture from a spawned process
  - From: Thomas Steffen

References:
- [Ethereal-dev] Feature proposal: read capture from a spawned process
  - From: Thomas Steffen

Prev by Date: Re: [Ethereal-dev] Encapsulation formats for MTP3 or M3UA?
Next by Date: [Ethereal-dev] buildbot failure in Fedora Core 4 (IA32)
Previous by thread: [Ethereal-dev] Feature proposal: read capture from a spawned process
Next by thread: Re: [Ethereal-dev] Feature proposal: read capture from a spawned process
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$