Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and"readfilter" - con
From: Jeff Morriss <[email protected]>
Date: Fri, 12 Oct 2007 10:46:20 -0400

Maynard, Chris wrote:
Hmm, I wonder what the point of doing "tshark -w - > /some/file" is when
you could just do "tshark -w /some/file"?
It's normally used in a more interesting way than my trivial 
example--for example sending the output to a pipe which then eventually 
sends the output to a file.  Something like:
ssh [email protected] "tshark -w -" > /some/file

(so tshark gets executed on 'somehost' but the output file is created on your local machine.)
Anyway, I tried it and it seems to work better, although compared to the
0.99.6 version, the output differs given the same options.  I would
expect the output to be the same, no?

Running "tshark.exe -p -i 4 -f icmp -c 4 -w - > tsharktest.cap":

"C:\wireshark-gtk2\tshark.exe" -r tsharktest.cap
  1   0.000000 -> 74
  2   0.000272 -> 74
  3   1.002940 -> 74
  4   1.003186 -> 74

"C:\Program Files\Wireshark\tshark.exe" -r tsharktest.cap
No log handling enabled - turning on stderr logging
  1   0.000000 -> 74 ICMP Echo (ping) request
  2   0.000305 -> 74 ICMP Echo (ping) reply
  3   1.001864 -> 74 ICMP Echo (ping) request
  4   1.002157 -> 74 ICMP Echo (ping) reply
Hmmm, yeah.  I'll see if I can get my Windows build going again though 
IIRC I never could capture stuff with my own builds.