Wireshark-users: [Wireshark-users] tshark buffered packet dissection -- no realtime output?
running tshark on Fedora 26 (TShark (Wireshark) 2.2.8
(wireshark-2.2.8)). I get packets in pcap-ng format from a REST API
which I feed via stdin into tshark like this:
curl $API | tshark -l -r - -T text
This basically works. However, the output is buffered, despite using the
'-l' option. E.g. only after a couple of packets have arrived, the
buffer is flushed and the dissected packets are printed. I also
experimented with stdbuf for the curl command but that didn't help
either. When doing
curl $API | tshark -l -i - -T text
it does output the packets in real-time. However, the packets are then
fed through dumpcap which requires (totally unnecessary) elevated
privileges and I'm also reading that this adds additional, unneeded
delay of 500ms.
What I'm expecting is the real-time dissection of the packets received
from the API as with the '-i -' option but without the need to run this
through dumpcap and therefore having the current user member of the
wireshark system group.
Found the below links, so it seems like I'm not entirely alone.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2874
https://osqa-ask.wireshark.org/questions/62677/tshark-l-does-not-function-force-tshark-realtime
Thanks for any advance for any hint / advice!
-ralph
