 | 1 | initial version |
The code that handles packets from live captures is the same code that handles packets from capture files. During a live capture, dumpcap writes packets to a file that Wireshark or TShark has open, and, if it's written a batch of N packets to the file, sends Wireshark/TShark a message saying "I've just added N more packets", and Wireshark/TShark reads the next N packets from the file when it reads that message.
So presumably what you mean is "is there any way to have the packets show up as they're loaded if I'm reading a capture file, rather than waiting for the entire file to be read in before seeing any packets?"
It might be possible to change Wireshark's file-reading code to do that (I've seen Microsoft Word show similar behavior when reading a large document - the scrollbar changes as the file is being read, indicating that more text is available), although it's probably more than just a tweak, and it'd be best to make sure it doesn't slow down the process of reading the entire file too much.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
