Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and "read filter"
From: Jeff Morriss <[email protected]>
Date: Tue, 09 Oct 2007 09:37:36 -0400

Richard van der Hoff wrote:
Hi all,

First: massive thanks to Ulf for all the work he's been doing on privilege separation. It's definitely a really important feature that's been missing for ever.
Ulf Lamping wrote:
Just as Wireshark is doing it already for some time, tshark now also use dumpcap to capture stuff (to seperate the "potential dangerous" dissection from the "root required" capturing). tshark calls dumpcap with a set of command line options (capture interface, capture file name, ...) and establishes a pipe to dumpcap. Now dumpcap captures packets into a temporary file, a named file or some ringbuffer files and notices tshark events through a pipe, e.g. a new file was opened, some packets rushed in, ...
Ok, first question: when being used by {wire,t}shark, is a temporary 
file really the best way for dumpcap to write its captured data? The 
unix way to do this would be to write it down a separarate pipe (so 
wireshark/tshark would run dumpcap with a magic option saying "write 
your captured data to fd X); however I don't know enough about windows 
to know how portable that would be. A temporary file works fine anyway, 
I guess.
Well, except that the temporary file mechanism leads us to ugliness like 
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1650 .  I think to 
fix that generically will require some kind of *shark<->dumpcap 
synchronization and what better way to do it than via a pipe?