Wireshark-dev: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap
From: Jeff Morriss <[email protected]>
Date: Fri, 1 Sep 2017 11:26:37 -0400

On Thu, Aug 31, 2017 at 2:32 PM, Guy Harris <[email protected]> wrote:
On Aug 31, 2017, at 11:09 AM, Jeff Morriss <[email protected]> wrote:

> A counter argument to this would be that there are some advantages to not using a (temporary) file as the buffer packets.

For Wireshark, you have no alternative, as packets aren't processed only once.

For TShark with -2, the same applies.

TShark with one pass is the one place where you wouldn't want a temporary file.

Ah, I guess implicit in my statement was the thought that we'd (have to) go back to *shark writing the file.
Which would mean that while it could solve the 2 bugs it wouldn't do anything about the fact that the data's going to a file (except that it would allow the user to limit how much data is going to the file with a read filter).  (So my 3rd point is somewhat meaningless.)