Hi everyone,
I have a script that uses tshark to filter selected packets from a
very large body of captured data and passes them via stdout to a
custom packet decoding tool. (Arguably this might be better
implemented in some other way, eg with a dissector; but my approach
leverages a bunch of existing Java code that knows how to decode the
traffic in question.)
The basic approach is:
cat someHugeCaptureFile | tshark -i - -R $FILTER -w - | java DecoderClass
With tshark 0.99.6 on Fedora 6 this works great. With tshark 1.2.6 on
Fedora 12, it fails with:
tshark: The file "-" could not be opened: Illegal seek
If I omit the "-w -" and the pipe to the decoder, I get successful
(but uninformative) tshark decode to stdout. If I use "-w -" without
the pipe into the DecoderClass, I get a couple of raw packets dumped
to stdout, followed by the "illegal seek" error. I suspect the
problem may be with the environment rather than with tshark itself,
but I'm not sure how to proceed.
Unfortunately, I don't have administrative control over the machine in
question, so I cannot just install the older tshark and try it out. My
current workaround is to use tcpdump for simple things, but tshark's
more capable read filters are extremely useful, and I miss them :-(
I've seen one other message on wireshark-users about this, from 2009,
with no response. Has anyone else seen this problem? Is there an easy
solution?
Thanks for any advice,
-- JK
