Wireshark-users: Re: [Wireshark-users] Display dumpcap in real time

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 1 Nov 2011 15:17:55 -0700
On Nov 1, 2011, at 2:19 PM, Chip wrote:

> Thanks Guy, that's perfect information.

Note, BTW, that if you're running tcpdump without -w - as you presumably would be doing as per "I think I will go with tcpdump -S as really I am only caring about the connection information and not raw packet information" - note that neither -C nor -G will have any effect.  Just as the -a/-b ring-buffer stuff in TShark only affects a pcap or pcap-ng raw capture file, not the dissected output of TShark, -C and -G only affect a pcap raw capture file, not the dissected output of tcpdump.

tcpdump, when run without -w, just writes the dissected information to the standard output.  If you want the dissected information to show up on the screen *and* get written to a file, you'd have to pipe its output to another program (which means tcpdump's standard output would be a pipe, causing it to buffer output at the block level rather than the line level, so some screen output would get delayed); if you want it written to a rotating sequence of files, you'd need to have the program that reads from the pipe be one that supports that sort of ring buffer.  There are probably beefed-up versions of "tee" that can do that, but, if so, I'm not familiar with them.

Note that capture filters and snapshot lengths work in tcpdump as they do in dumpcap/Wireshark/TShark (or put it the other way around if you want to be historically accurate).