Wireshark-users: [Wireshark-users] tshark "illegal seek" on Linux
From: Abhijit Bare <[email protected]>
Date: Mon, 10 Aug 2009 13:43:49 -0600
Hi all,

tshark produces "illegal seek" error when I read from stdin and output to stdout at the same time. I am basically trying this:

zcat file.raw.gz | tshark -i - -R 'filter-string' -w - | gzip > new.raw.gz

Output is:
Capturing on -
tshark: The file "-" could not be opened: Illegal seek.

I tried different ways. If I let tshark print all the binary data on console, it does it happily. The "illegal seek" occurs only when I redirect the output to a file or a pipe. May be this is not a tshark problem. But I am not sure what is wrong with this.

I can read the file directly using "-r" option, but tshark seems to load the entire file into memory. My file is really large (upto 1 TB) and tshark virtual memory shoots up really high because of that. Doing the piped command as above will be much leaner.
This is wireshark v1.0.4-3.1 on SUSE Linux Enterprise Server 10 SP2.

Thank you,
Abhijit Bare