Re: Display dumpcap in real time

[Guy Harris <guy () alum mit edu>]

On Nov 1, 2011, at 2:19 PM, Chip wrote:

> Thanks Guy, that's perfect information.

Note, BTW, that if you're running tcpdump without -w - as you presumably would be doing as per "I think I will go with 
tcpdump -S as really I am only caring about the connection information and not raw packet information" - note that 
neither -C nor -G will have any effect.  Just as the -a/-b ring-buffer stuff in TShark only affects a pcap or pcap-ng 
raw capture file, not the dissected output of TShark, -C and -G only affect a pcap raw capture file, not the dissected 
output of tcpdump.

tcpdump, when run without -w, just writes the dissected information to the standard output.  If you want the dissected 
information to show up on the screen *and* get written to a file, you'd have to pipe its output to another program 
(which means tcpdump's standard output would be a pipe, causing it to buffer output at the block level rather than the 
line level, so some screen output would get delayed); if you want it written to a rotating sequence of files, you'd 
need to have the program that reads from the pipe be one that supports that sort of ring buffer.  There are probably 
beefed-up versions of "tee" that can do that, but, if so, I'm not familiar with them.

Note that capture filters and snapshot lengths work in tcpdump as they do in dumpcap/Wireshark/TShark (or put it the 
other way around if you want to be historically accurate).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe