Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and "read filter"
From: Richard van der Hoff <[email protected]>
Date: Tue, 09 Oct 2007 12:09:38 +0100
Hi all,

First: massive thanks to Ulf for all the work he's been doing on privilege separation. It's definitely a really important feature that's been missing for ever.
Ulf Lamping wrote:
Just as Wireshark is doing it already for some time, tshark now also use dumpcap to capture stuff (to seperate the "potential dangerous" dissection from the "root required" capturing). tshark calls dumpcap with a set of command line options (capture interface, capture file name, ...) and establishes a pipe to dumpcap. Now dumpcap captures packets into a temporary file, a named file or some ringbuffer files and notices tshark events through a pipe, e.g. a new file was opened, some packets rushed in, ...
Ok, first question: when being used by {wire,t}shark, is a temporary 
file really the best way for dumpcap to write its captured data? The 
unix way to do this would be to write it down a separarate pipe (so 
wireshark/tshark would run dumpcap with a magic option saying "write 
your captured data to fd X); however I don't know enough about windows 
to know how portable that would be. A temporary file works fine anyway, 
I guess.
Now the two problems in the buildbot test are:

a) dumping to stdout (using -w -)
Dumping to stdout will mix up with the pipe (standard-)output, so this cannot work as before. BTW: Wireshark cannot capture to stdout for the same reason (or am I missinformed here?).
I don't understand this at all. If I want to use tshark to capture and 
write to stdout, why shouldn't I? Surely that doesn't interfere with the 
pipe between tshark and dumpcap?
Solution: to dump to stdout, use dumpcap - it's build for that purpose.
Well, ish - though as you notice below, it doesn't support read filters 
(nor should it). If I want to perform a capture, with read filtering, to 
stdout, then tshark should be able to do this for me.
Document that dumping to stdout doesn't work with tshark / Wireshark and prevent "-w -" command line option.
This would be a shame.

b) read filter
dumpcap doesn't know anything about display filter syntax -
> ...
Solution: Drop read filters completely, they don't really fit in the 
concept of privilege seperation. Document the change and prevent the 
according command line option(s).
Yes they do: tshark does the read-filtering in as the ordinary user, and 
dumpcap does the capturing as root.
Please note: I'm not argueing against the usefullness of both options, but they don't fit into the idea of privilege seperation and the current implementation of it. So I don't see a good way to "re-"implement them ...
Perhaps I'm missing something important here - but I don't understand 
what the problem is.
Regards,

Richard