Wireshark-users: [Wireshark-users] "illegal seek" writing to stdout (Tshark 1.2.6 on Fedora 12)

From: Joe Knapka <jknapka@xxxxxxxxxx>
Date: Wed, 3 Nov 2010 10:34:20 -0600
Hi everyone,

I have a script that uses tshark to filter selected packets from a
very large body of captured data and passes them via stdout to a
custom packet decoding tool.  (Arguably this might be better
implemented in some other way, eg with a dissector; but my approach
leverages a bunch of existing Java code that knows how to decode the
traffic in question.)

The basic approach is:

   cat someHugeCaptureFile | tshark -i - -R $FILTER -w - |  java DecoderClass

With tshark 0.99.6 on Fedora 6 this works great.  With tshark 1.2.6 on
Fedora 12, it fails with:

   tshark: The file "-" could not be opened: Illegal seek

If I omit the "-w -" and the pipe to the decoder, I get successful
(but uninformative) tshark decode to stdout.  If I use "-w -" without
the pipe into the DecoderClass, I get a couple of raw packets dumped
to stdout, followed by the "illegal seek" error.  I suspect the
problem may be with the environment rather than with tshark itself,
but I'm not sure how to proceed.

Unfortunately, I don't have administrative control over the machine in
question, so I cannot just install the older tshark and try it out. My
current workaround is to use tcpdump for simple things, but tshark's
more capable read filters are extremely useful, and I miss them :-(

I've seen one other message on wireshark-users about this, from 2009,
with no response.  Has anyone else seen this problem? Is there an easy
solution?

Thanks for any advice,

-- JK