Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Tshark output real time

I ran following Commands :-

1) cat demo.cap | tshark -Tek -r - >> > outputs 8742 packets.

But when i try to tail the file....

2) tail -f -c +0 demo.cap | tshark -Tek -r - >> outputs 8672 packets.

3) tail -f -c +0 demo.cap | tshark -Tek -l -r - >> outputs 8672 packets.

On wireshark UI i get 8742 packets.

it's apparent that, all packets are not seen, I realized Tshark might be buffering its output, but -l is not helping either. can anyone explain where else to look?

Tshark output real time

I ran following Commands :-

1) cat demo.cap | tshark -Tek -r - >> > outputs 8742 packets.

But when i try to tail the file....

2) tail -f -c +0 demo.cap | tshark -Tek -r - >> outputs 8672 packets.

3) tail -f -c +0 demo.cap | tshark -Tek -l -r - >> outputs 8672 packets.

On wireshark UI i get 8742 packets.

it's apparent that, all packets are not seen, I realized Tshark might be buffering its output, but -l is not helping either. can anyone explain where else to look?

Tshark output incomplete in real time

I ran following Commands :-

1) cat demo.cap | tshark -Tek -r - >> > outputs 8742 packets.

But when i try to tail the file....

2) tail -f -c +0 demo.cap | tshark -Tek -r - >> outputs 8672 packets.

3) tail -f -c +0 demo.cap | tshark -Tek -l -r - >> outputs 8672 packets.

On wireshark UI i get 8742 packets.

Interestingly if I use a capture of libcap format then,

4) tail -f -c +0 | tshark -Tek -i - > >> outputs 8742 packets.

it's apparent that, all packets are not seen, I realized Tshark might be buffering its output, but -l is not helping either. can anyone explain where else to look?

Tshark output incomplete in real time

I ran following Commands :-

1) cat demo.cap | tshark -Tek -r - >> > outputs 8742 packets.

But when i try to tail the file....

2) tail -f -c +0 demo.cap | tshark -Tek -r - >> outputs 8672 packets.

3) tail -f -c +0 demo.cap | tshark -Tek -l -r - >> outputs 8672 packets.

On wireshark UI i get 8742 packets.

Interestingly if I use a capture of libcap format then, then and use -i instead of -r,

4) tail -f -c +0 demo.cap | tshark -Tek -i - > >> outputs 8742 packets.

it's apparent that, all packets are not seen, I realized Tshark might be buffering its output, but -l is not helping either. can anyone explain where else to look?