On Jun 1, 2011, at 11:51 AM, Alexey Eromenko wrote:
> Is it possible to do live-capture on saved pcap file ? (Like I do on
> real interfaces)
>
> I tried: (on Wireshark 1.2)
> $ wireshark -S -r mycapture.pcap
"Live capture" involves dumpcap writing to a file *and* sending to Wireshark/TShark, over a pipe, "there are N more packets" messages.
You would have to add to dumpcap the ability to "capture from a file" in order to do that; I infer from the "$" in the command that you're using some flavor of UN*X, so think of it as dumpcap doing the equivalent of "tail -f" on the capture file. (I don't think the "capture from a pipe" will do it - reading from a pipe, when you're at the end of the data currently written to the pipe, blocks waiting for more data to arrive, but reading from a file, when you're at the end of the file, just returns 0 bytes, so you'd have to either block (in a platform-dependent fashion) waiting for the file to be modified, or wait a short period of time and try again.)
