Wireshark · Wireshark-users: [Wireshark-users] Is there any reason for "rawshark -s" not to actually *read* the pcap header and u

Wireshark-users: [Wireshark-users] Is there any reason for "rawshark -s" not to actually *read* t

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Sun, 30 Dec 2012 12:54:19 -0800

If rawshark is reading a stream of packets, with no file header, you obviously need to specify the encapsulation of the packets and have the byte-order of the packet headers in the stream match the byte order of the machine processing them (or add an option to explicitly specify the byte order or specify that it's the opposite of the byte order of the machine on which it's running.

However, there's a -s flag to allow it to read a stream that represents a pcap file, complete with a pcap header; currently, -s just skips the header, but it would probably be better to have it process the header, get the encapsulation and use that by default, and get the byte order and use that.

Is there any reason *not* to do that?

Prev by Date: Re: [Wireshark-users] capturing before/after firewall in Linux
Next by Date: Re: [Wireshark-users] capturing before/after firewall in Linux
Previous by thread: Re: [Wireshark-users] capturing before/after firewall in Linux
Index(es):
- Date
- Thread