Re: Is it possible to do live-capture on saved pcap file ?

[Guy Harris <guy () alum mit edu>]

On Jun 1, 2011, at 11:51 AM, Alexey Eromenko wrote:

> Is it possible to do live-capture on saved pcap file ? (Like I do on
> real interfaces)
>
> I tried: (on Wireshark 1.2)
> $ wireshark -S -r mycapture.pcap

"Live capture" involves dumpcap writing to a file *and* sending to Wireshark/TShark, over a pipe, "there are N more 
packets" messages.

You would have to add to dumpcap the ability to "capture from a file" in order to do that; I infer from the "$" in the 
command that you're using some flavor of UN*X, so think of it as dumpcap doing the equivalent of "tail -f" on the 
capture file.  (I don't think the "capture from a pipe" will do it - reading from a pipe, when you're at the end of the 
data currently written to the pipe, blocks waiting for more data to arrive, but reading from a file, when you're at the 
end of the file, just returns 0 bytes, so you'd have to either block (in a platform-dependent fashion) waiting for the 
file to be modified, or wait a short period of time and try again.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe