Folks-
I wrote a Perl script that feeds pcap data to an instance of tshark
running in a child process, then takes the decoded output to present
to the user.
The problem is that I don't know when tshark is done sending output
back to me. This becomes a problem when running on Windows machines,
as you cannot do a non-blocking read on a file descriptor (more
details on this at http://www.perlmonks.org/?node_id=864690).
At first, I looked for a blank line. That works pretty good, except
when there's an error in the decoding, and the dissector throws in
blank lines around it's error output.
My next thought was to "frame" all of my requests between some small,
easily identified message (an ARP for example - my output never has
ARPs to decode).
Then it occurred to me, that the right way is to have a tshark command
line option, along the lines of --separator '---END OF DECODE', that
would get tshark to print that out after each message was dissected.
What are your thoughts on this?
Thanks
-Craig
Craig Votava
Alcatel-Lucent