Bypassing dumpcap with TShark and pipes

Because of Bug 2874 in dumpcap, tshark will normaly only respond every 500ms. I need lower latency as I am feeding a live application. I heard this can be accomplished with pipes, but am completely inexperienced with pipes. How would this be done? What I need is for the dissectors to be running in realtime, continually.

asked 11 Jul '17, 15:44

afay
6●2●2●4
accept rate: 0%

edited 11 Jul '17, 17:20

One Answer:

active answers oldest answers newest answers popular answers

Use tshark -w - -F pcap | tshark -r -

permanent link

answered 12 Jul '17, 09:33

afay
6●2●2●4
accept rate: 0%

Did you mean dumpcap -w - -P | tshark -r - ? Or does dumpcap spawned by tshark really behave differently if that tshark writes to stdout than if it writes to a regular file?

(12 Jul '17, 10:12) sindy

Your answer

toggle preview

community wiki:

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Question tags:

tshark ×832
dumpcap ×89
pipe ×37
pipes ×3
bug-2874 ×1

question asked: 11 Jul '17, 15:44

question was seen: 930 times

last updated: 12 Jul '17, 14:30

Bypassing dumpcap with TShark and pipes

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions