Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and"readfilter" - con
From: Jeff Morriss <[email protected]>
Date: Fri, 12 Oct 2007 10:46:20 -0400

Maynard, Chris wrote:
Hmm, I wonder what the point of doing "tshark -w - > /some/file" is when
you could just do "tshark -w /some/file"?
It's normally used in a more interesting way than my trivial 
example--for example sending the output to a pipe which then eventually 
sends the output to a file.  Something like:
ssh [email protected] "tshark -w -" > /some/file

(so tshark gets executed on 'somehost' but the output file is created on your local machine.)
Anyway, I tried it and it seems to work better, although compared to the
0.99.6 version, the output differs given the same options.  I would
expect the output to be the same, no?

Running "tshark.exe -p -i 4 -f icmp -c 4 -w - > tsharktest.cap":

tshark-SVN-23133:
"C:\wireshark-gtk2\tshark.exe" -r tsharktest.cap
  1   0.000000 192.168.1.100 -> 192.168.1.1 74
  2   0.000272 192.168.1.1 -> 192.168.1.100 74
  3   1.002940 192.168.1.100 -> 192.168.1.1 74
  4   1.003186 192.168.1.1 -> 192.168.1.100 74

tshark-0.99.6:
"C:\Program Files\Wireshark\tshark.exe" -r tsharktest.cap
No log handling enabled - turning on stderr logging
  1   0.000000 192.168.1.100 -> 192.168.1.1 74 ICMP Echo (ping) request
  2   0.000305 192.168.1.1 -> 192.168.1.100 74 ICMP Echo (ping) reply
  3   1.001864 192.168.1.100 -> 192.168.1.1 74 ICMP Echo (ping) request
  4   1.002157 192.168.1.1 -> 192.168.1.100 74 ICMP Echo (ping) reply
Hmmm, yeah.  I'll see if I can get my Windows build going again though 
IIRC I never could capture stuff with my own builds.