Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Possible New Option for Tshark?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Mark Landriscina <mlandri1@xxxxxxx>
Date: Sun, 24 Oct 2010 10:33:57 -0400
Using -T with pdml/psml would probably be the best approach if you want text output. However, if that doesn't work for you, then you could consider doing what some programs like SCAPY do. Save your packets in a temp pcap file and pass the file name to your tshark child process when you are spawning it.  When tshark finishes reading all the packets in your temp file and writes all the dissection data to wherever you are sending it (assuming a pipe), tshark will close and your read will stop blocking. If you want to dissect more packets later on, just respawn another tshark child process.

I've done something similar in Python and it works just fine. If you know Python, download and take a look at SCAPY's wireshark function.

Regards,
Mark


On Oct 23, 2010, at 2:49 AM, Guy Harris wrote:

> 
> On Oct 22, 2010, at 9:43 PM, Stephen Fisher wrote:
> 
>> On Thu, Oct 21, 2010 at 03:29:36PM -0500, Craig Votava wrote:
>> 
>>> I wrote a Perl script that feeds pcap data to an instance of tshark 
>>> running in a child process, then takes the decoded output to present 
>>> to the user.
>>> 
>>> The problem is that I don't know when tshark is done sending output 
>>> back to me.
>> 
>> How about using "pdml" or "psml" with the -T option.
> 
> ...especially given that the default ("-T text") output of TShark is designed for humans, not programs, to read.  If your program can read it, great, but if it's easier for it to read PSML or PDML....
> 
> (Yes, I know about the UNIX philosophy with respect to program output.  At times, it can lead to output that's suboptimal for humans to read but not *quite* as parsable by software as one might like, i.e. it can sacrifice human readability without gaining sufficient program readability to make up for it - sometimes you might as well just have two separate formats and be done with it.)
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube