Re: [Wireshark-dev] Possible New Option for Tshark?

Sun, 24 Oct 2010 07:35:19 -0700 

Using -T with pdml/psml would probably be the best approach if you want text 
output. However, if that doesn't work for you, then you could consider doing 
what some programs like SCAPY do. Save your packets in a temp pcap file and 
pass the file name to your tshark child process when you are spawning it.  When 
tshark finishes reading all the packets in your temp file and writes all the 
dissection data to wherever you are sending it (assuming a pipe), tshark will 
close and your read will stop blocking. If you want to dissect more packets 
later on, just respawn another tshark child process.

I've done something similar in Python and it works just fine. If you know 
Python, download and take a look at SCAPY's wireshark function.

Regards,
Mark


On Oct 23, 2010, at 2:49 AM, Guy Harris wrote:

> 
> On Oct 22, 2010, at 9:43 PM, Stephen Fisher wrote:
> 
>> On Thu, Oct 21, 2010 at 03:29:36PM -0500, Craig Votava wrote:
>> 
>>> I wrote a Perl script that feeds pcap data to an instance of tshark 
>>> running in a child process, then takes the decoded output to present 
>>> to the user.
>>> 
>>> The problem is that I don't know when tshark is done sending output 
>>> back to me.
>> 
>> How about using "pdml" or "psml" with the -T option.
> 
> ...especially given that the default ("-T text") output of TShark is designed 
> for humans, not programs, to read.  If your program can read it, great, but 
> if it's easier for it to read PSML or PDML....
> 
> (Yes, I know about the UNIX philosophy with respect to program output.  At 
> times, it can lead to output that's suboptimal for humans to read but not 
> *quite* as parsable by software as one might like, i.e. it can sacrifice 
> human readability without gaining sufficient program readability to make up 
> for it - sometimes you might as well just have two separate formats and be 
> done with it.)
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to