Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7777] New: Tshark STDOUT problems when using capture filte

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 1 Oct 2012 05:47:56 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7777

           Summary: Tshark STDOUT problems when using capture filters
           Product: Wireshark
           Version: unspecified
          Platform: x86
        OS/Version: Debian
            Status: NEW
          Severity: Critical
          Priority: Low
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: karsai.robert@xxxxxxxxx


Build Information:
TShark 1.2.11

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.24.2, with libpcap 1.1.1, with libz 1.2.3.4, with
POSIX capabilities (Linux), with libpcre 8.2, with SMI 0.4.8, with c-ares
1.7.3,
with Lua 5.1, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with MIT Kerberos, with
GeoIP.

Running on Linux 2.6.32-5-686, with libpcap version 1.1.1, GnuTLS 2.8.6, Gcrypt
1.4.5.

Built using gcc 4.4.5.
--
Tshark STDOUT works strage when using capture filters. I have a constant ping
running:

betazed:~# tshark -i eth2
Running as user "root" and group "root". This could be dangerous.
Capturing on eth2
  0.000000 192.168.9.170 -> 192.168.9.1  ICMP Echo (ping) request
  0.000118  192.168.9.1 -> 192.168.9.170 ICMP Echo (ping) reply
  ...

Capture filter lets through packets:

betazed:~# tshark -i eth2 icmp
Running as user "root" and group "root". This could be dangerous.
Capturing on eth2
  0.000000 192.168.9.170 -> 192.168.9.1  ICMP Echo (ping) request
  0.000103  192.168.9.1 -> 192.168.9.170 ICMP Echo (ping) reply
  ...

If I pipe the output then without capture filter it is OK:

betazed:~# tshark -i eth2 | grep .
Running as user "root" and group "root". This could be dangerous.
Capturing on eth2
  0.541318 192.168.9.170 -> 192.168.9.1  ICMP Echo (ping) request
  0.541418  192.168.9.1 -> 192.168.9.170 ICMP Echo (ping) reply
  ...

However if I use capture filter the pipe receives nothing (grep . lets
basically everything through):

betazed:~# tshark -i eth2 icmp | grep .
Running as user "root" and group "root". This could be dangerous.
Capturing on eth2
^C26 packets captured

As you can see STDERR reports after pressing CTRL+C that there were 26 captured
packets, yet they were not received by grep. This behaviour can be reproduced
at least on 32 bits version of Debian 6.0.6, Ubuntu 10.04.4 LTS, Ubuntu 12.04.1
LTS with official repo tshark packages (tshark versions are 1.2.11, 1.2.7,
1.6.7 respectively). I have tested it with a version of tshark 1.8.2 (compiled
by myself) on Ubuntu 12.04.1, it is just the same.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube