Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] newbie question, tshark input from stdin

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Tue, 4 Feb 2014 15:22:30 +0000 (UTC)
Evan Huus <eapache@...> writes:

> On Mon, Feb 3, 2014 at 5:43 PM, Christopher Maynard
> <Christopher.Maynard@...> wrote:
> > Evan Huus <eapache <at> ...> writes:
> >
> >> The -i flag is for specifying a network interface for live capture (eg
> >> eth0) and so doesn't accept "-" to signify stdin.
> >
> > The tshark man page[1] would disagree.  I just tested this with 1.10.5 and
> > it worked as documented:
> 
> Whoops, yes, you're right, I made a false assumption.

Does anyone know why dumpcap, tshark and Wireshark read from a pipe using
"-i -" and not "-r -"?  It seems more intuitive to me to use "-r" than "-i"
and it would match tcpdump's syntax[1].  I suppose either "-r -" or "-i -"
could be allowed?

- Chris

[1]: http://www.tcpdump.org/tcpdump_man.html