Wireshark-dev: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 1 Sep 2017 11:26:37 -0400


On Thu, Aug 31, 2017 at 2:32 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Aug 31, 2017, at 11:09 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:

> A counter argument to this would be that there are some advantages to not using a (temporary) file as the buffer packets.

For Wireshark, you have no alternative, as packets aren't processed only once.

For TShark with -2, the same applies.

TShark with one pass is the one place where you wouldn't want a temporary file.

Ah, I guess implicit in my statement was the thought that we'd (have to) go back to *shark writing the file.
 
Which would mean that while it could solve the 2 bugs it wouldn't do anything about the fact that the data's going to a file (except that it would allow the user to limit how much data is going to the file with a read filter).  (So my 3rd point is somewhat meaningless.)