Possible New Option for Tshark?

[Craig Votava <craig.votava () alcatel-lucent com>]

Folks-

I wrote a Perl script that feeds pcap data to an instance of tshark  
running in a child process, then takes the decoded output to present  
to the user.

The problem is that I don't know when tshark is done sending output  
back to me. This becomes a problem when running on Windows machines,  
as you cannot do a non-blocking read on a file descriptor (more  
details on this at http://www.perlmonks.org/?node_id=864690).

At first, I looked for a blank line. That works pretty good, except  
when there's an error in the decoding, and the dissector throws in  
blank lines around it's error output.

My next thought was to "frame" all of my requests between some small,  
easily identified message (an ARP for example - my output never has  
ARPs to decode).

Then it occurred to me, that the right way is to have a tshark command  
line option, along the lines of --separator '---END OF DECODE', that  
would get tshark to print that out after each message was dissected.

What are your thoughts on this?

Thanks

-Craig

Craig Votava
Alcatel-Lucent




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe