wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] Possible New Option for Tshar

Re: [Wireshark-dev] Possible New Option for Tshark?

From: Mark Landriscina <mlandri1_at_nospam>
Date: Sun Oct 24 2010 - 14:33:57 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

Using -T with pdml/psml would probably be the best approach if you want text output. However, if that doesn't work for you, then you could consider doing what some programs like SCAPY do. Save your packets in a temp pcap file and pass the file name to your tshark child process when you are spawning it. When tshark finishes reading all the packets in your temp file and writes all the dissection data to wherever you are sending it (assuming a pipe), tshark will close and your read will stop blocking. If you want to dissect more packets later on, just respawn another tshark child process.

I've done something similar in Python and it works just fine. If you know Python, download and take a look at SCAPY's wireshark function.

Regards,
Mark

On Oct 23, 2010, at 2:49 AM, Guy Harris wrote:

>
> On Oct 22, 2010, at 9:43 PM, Stephen Fisher wrote:
>
>> On Thu, Oct 21, 2010 at 03:29:36PM -0500, Craig Votava wrote:
>>
>>> I wrote a Perl script that feeds pcap data to an instance of tshark
>>> running in a child process, then takes the decoded output to present
>>> to the user.
>>>
>>> The problem is that I don't know when tshark is done sending output
>>> back to me.
>>
>> How about using "pdml" or "psml" with the -T option.
>
> ...especially given that the default ("-T text") output of TShark is designed for humans, not programs, to read. If your program can read it, great, but if it's easier for it to read PSML or PDML....
>
> (Yes, I know about the UNIX philosophy with respect to program output. At times, it can lead to output that's suboptimal for humans to read but not *quite* as parsable by software as one might like, i.e. it can sacrifice human readability without gaining sufficient program readability to make up for it - sometimes you might as well just have two separate formats and be done with it.)
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe