Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and"read filter" - co
From: "Maynard, Chris" <[email protected]>
Date: Wed, 10 Oct 2007 00:01:04 -0400
FYI: I was able to test this on a Windows PC, but it doesn't appear to be working.  I could be doing something wrong since I hardly ever use tshark, but I compared the output of a 0.99.6-tshark with the output of an SVN-23125-tshark with the following command line:
 
tshark.exe -p -i 4 -f icmp -c 10 -x -w -
 
While pinging my router, the 0.99.6 version produces this output:
 
No log handling enabled - turning on stderr logging
Capturing on Wireless PC Card Model 0111 (Microsoft's Packet Scheduler)
1 ???í? ?             ?   åK?G|A? J   J    ?%ÑT? ???? E  <?b  Ç??ª?¿pf?¿p F[? ??
2 åK?G?K? J   J    ????0 ?%ÑT E  <?b  û??ª?¿p??¿pf  N[? ??abcdefghijklmnopqrstuv
3 çK?G£H? J   J    ?%ÑT? ???? E  <?c  Ç??Ñ?¿pf?¿p E[? ??abcdefghijklmnopqrstuvwa
4 çK?G?U? J   J    ????0 ?%ÑT E  <?c  û??Ñ?¿p??¿pf  M[? ??abcdefghijklmnopqrstuv
5 êK?GcS? J   J    ?%ÑT? ???? E  <?d  Ç??ñ?¿pf?¿p D[? ??abcdefghijklmnopqrstuvwa
6 êK?G?_? J   J    ????0 ?%ÑT E  <?d  û??ñ?¿p??¿pf  L[? ??abcdefghijklmnopqrstuv
7 ëK?G?Q? J   J    ?%ÑT? ???? E  <?e  Ç??ú?¿pf?¿p C[? ?abcdefghijklmnopqrstuvwab
8 ëK?G3]? J   J    ????0 ?%ÑT E  <?e  û??ú?¿p??¿pf  K[? ?abcdefghijklmnopqrstuvw
9 èK?GdV? J   J    ?%ÑT? ???? E  <?f  Ç??ó?¿pf?¿p B[??abcdefghijklmnopqrstuvwabc
10 èK?G?a? J   J    ????0 ?%ÑT E  <?f  û??ó?¿p??¿pf  J[?abcdefghijklmnopqrstuvwa
bcdefghi
 
.... whereas the SVN-23125-tshark produces only this output:
Capturing on Wireless PC Card Model 0111 (Microsoft's Packet Scheduler)
10
 
(NOTE that where "10" is displayed above, what is actually displayed is a counter, counting up from 1 until the limit of 10 packets is reached.  That's just the last thing that's displayed when the program terminates.)
 
I assume this is relevant, "No log handling enabled - turning on stderr logging"?  Or am I just doing something wrong?  If so, let me know the exact command-line options I should be using when testing this.
 
- Chris

________________________________

From: [email protected] on behalf of Guy Harris
Sent: Tue 10/9/2007 9:46 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and"read filter" - conclusion




On Oct 9, 2007, at 1:17 PM, Ulf Lamping wrote:

> WHY IS STDOUT NOT POSSIBLE?
>
> Well, it's possible but just not implemented.
>
> The current implementation simply passes the filename from tshark to
> dumpcap, which then will mess up it's own stdout with the event 
> messages
> and packet data.
>
> It's no vodoo magic to make it work again, but someone (but not me) 
> has
> to made the changes.

I've checked in a change to make dumpcap use its standard error, 
rather than its standard output, for the sync pipe; it appears to 
allow "tshark -w -" to work, at least when piping to tcpdump on OS X.  
I haven't tested it on Windows (my Windows "machine" is currently 
sitting on a disk drive I got back from DriveSavers after the drive in 
my PowerBook went bad; I haven't yet gotten the drive in the PowerBook 
replaced yet, so I can't figure up Virtual PC), but it looks as if it 
should work, at least based on

        http://support.microsoft.com/kb/190351

which says that, to *not* redirect one of the standard handles in a 
CreateProcess() call when you're redirecting others, just set the 
appropriate handle to GetStdHandle(the appropriate #define), which I'm 
assuming is STD_OUTPUT_HANDLE to leave the standard output alone.
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev





-----------------------------------------
This email may contain confidential and privileged material for the
sole use of the intended recipient(s). Any review, use, retention,
distribution or disclosure by others is strictly prohibited. If you
are not the intended recipient (or authorized to receive for the
recipient), please contact the sender by reply email and delete all
copies of this message. Also, email is susceptible to data
corruption, interception, tampering, unauthorized amendment and
viruses. We only send and receive emails on the basis that we are
not liable for any such corruption, interception, tampering,
amendment or viruses or any consequence thereof.

<<winmail.dat>>