Dear all,
I was asked by some people about access to capture comments from the
command line tools. We identified two use cases
- You have a capture file and want to display its capture file comment.
Nothing but the comment, no packets etc.
- You start a capture from the command line and want to insert a comment
into the newly created file.
The reading should be an option to tshark ("display the capture file
comment and exit"). Tshark would need a copy of cf_read_shb_comment() or
a way to share it with file.c.
For writing, I added a switch -j <new comment> to both tshark and
dumpcap. It turned out that things are most simple if I add a new field
initial_capture_comment to the capture_options structure. Tshark can
pass the comment to dumpcap via sync_pipe_start() and dumpcap writes the
SHB.
I have something basic that's working. Probably, a lot of plausibility
checks for the parameters are missing. E.g. supplying a comment only
makes sense if we capture into one pcapng file.
What do you think: Do these use cases and the approach make sense to
you? And what letters should be used for the option? I know you've been
cleaning up the parameters lately ;-)
Best regards,
Martin