This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can a dissector or tap recognize if data is from live capture or loading a file?

0

I am writing a tap in Lua, but could also write it in C if necessary. I would like to know in the tap.packet was called as a result of a live capture or file load. I know that in the main Wireshark code, it uses capture_opts->real_time_mode, but I can't seem to find how to access this in a tap.

asked 01 Feb '16, 13:51

SonomaDave's gravatar image

SonomaDave
11223
accept rate: 0%


One Answer:

0

It can't.

What is it that your tap would do differently in those two cases?

answered 01 Feb '16, 18:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I am sending data to an external program to calculate response times. It works slightly different for real time data versus the load of previously captured data. It present results in time slices, (e.g. response time for 10 minute slices). If traffic is sparse, then there may be no data at the end of the next time slice, which means the user would not see the complete picture. So, if the data is in real time, and no traffic is seen for a few seconds, the program initiates a cut-off. I do not want to do this for the load of a previously captured file.

(02 Feb '16, 12:03) SonomaDave