Wireshark · Ethereal-users: Re: [Ethereal-users] Can Ethereal read data streams as input?

[Guy Harris <gharris@xxxxxxxxx>]

Sholund, Mark D, GVSOL wrote:
> I am interested in using Ethereal to read pcap files that are generated 
> on a remote system.  I would like to do something like 'ethereal -r 
> http://<remote-system>/pcap/file.pcap' 
> <http://<remote-system>/pcap/file.pcap'>  but this does not appear to 
> work at a command line;

It does not work at all.  Ethereal opens files, not URLs - and opens 
then for *random access* (it doesn't read the entire file into memory, 
or into a temporary file, so it uses random access to get the data for a 
particular packet when that packet is clicked on or otherwise accessed), 
so it can't open a non-seekable data stream.

> Is this something that is doable in a different way than I have tried 
> or must the file be local in order to input to Ethereal?

The file must be openable by the standard OS file access APIs in order 
to be used as input to Ethereal.  Given the existence of various of NFS, 
SMB, AFP, FTP, HTTP, etc. remote file system modules in various OSes, I 
wouldn't phrase that as "must be local", but it must be accessable with 
fopen(), fread(), and the like.  ("FTP" and "HTTP" are available in OS 
X, for example - ftpfs and webdavfs - but the OS X implementations, in 
effect, copy a file to a temporary-file directory and read from that.)

(Or, to put it another way, it doesn't use KIO or anything such as that, 
and won't use any API that supports only sequential access.)