[Guy Harris <guy@xxxxxxxxxx>]

On Thu, May 23, 2002 at 09:34:33AM -0700, Bill Studenmund wrote:
> Well, to be honest, if Guy said Ethereal can do it, I suspect Ethereal can
> do it. :-)
> 
> Note also he said "named pipe", not a pipe. They are slightly different.

Actually, it can also capture from its standard input, if it's an pipe -
even if it's an unnamed pipe - if you specify "-" as the capture
"device" name.

(Thanks to Olivier Abad for implementing the "capture from pipe"
feature.)

> Guy, "tcpdump .... -w /tmp/ethereal-pipe" would be an example capture
> program, wouldn't it?

That should work (I forget whether Olivier put that feature in so that
he could do something like

	rsh othermachine sudo tcpdump -w - >/tmp/ethereal-pipe

to capture packets from one machine while running Ethereal on another
machine, but I think it was something like that, even if the program
wasn't tcpdump).

You might want to run tcpdump with "-s 65535" (or, thanks to Gilbert
Ramirez, "-s 0" on, I think, tcpdump 3.6 and later; that's a synonym for
"-s 65535") if you want the entire contents of the packets rather than
just the first 68 bytes.

> Oh, make that "tcpdump ... -l -w /tmp/ethereal-pipe"
> so that we get packets in real time.

Well, that makes the standard output line-buffered - but that just means
stuff gets written to the standard output when the buffer fills up *or*
a byte with the value 0x0a is seen; that doesn't necessarily correspond
to packet boundaries in the libpcap data stream.