Wireshark-dev: Re: [Wireshark-dev] Adding support for pcap-ng to dumpcap or reading from pipes
From: Jakub Zawadzki <[email protected]>
Date: Sun, 13 May 2012 21:16:05 +0200
On Sat, May 12, 2012 at 04:10:49PM -0700, Guy Harris wrote:
> On May 12, 2012, at 12:43 PM, Jakub Zawadzki wrote:
> 
> > Do we really need to "capture" from pipes in dumpcap?
> 
> I believe the ability to capture from a pipe was introduced in order to handle capturing from sources that libpcap/WinPcap don't handle (e.g., "ssh over to machine XXX and run tcpdump on it, capturing to the standard output" or "capture from some network type that libpcap doesn't (yet) handle") - a program that captures from that source and writes pcap output to its standard output could be used as a capture source.

I know why we should support reading from pipes, the question was rather: 
Why it's done in dumpcap? Why it's not done in wireshark (and wiretap)?

I've thought that dumpcap is SETUID root program to capture
packets from network interfaces. For pipes we don't need +s.
And for named pipes +s can be dangerous :)

But I forgot that dumpcap support capturing from multiple sources 
(which can be named pipes) and writting all packets to single file.