Hi,
That's probably because -r refers to a file (which you can seek through), while
-i refers to a 'stream' (which you cannot seek). Now, tcpdump is single pass
while *shark has multi pass capability *for files*. Categorizing pipes in *shark
as files would open up that multi pass option, which it cannot handle, while
tcpdump would never do that so it can access a pipe as a file.
Thanks,
Jaap
On 02/04/2014 04:22 PM, Christopher Maynard wrote:
> Evan Huus <eapache@...> writes:
>
>> On Mon, Feb 3, 2014 at 5:43 PM, Christopher Maynard
>> <Christopher.Maynard@...> wrote:
>>> Evan Huus <eapache <at> ...> writes:
>>>
>>>> The -i flag is for specifying a network interface for live capture (eg
>>>> eth0) and so doesn't accept "-" to signify stdin.
>>>
>>> The tshark man page[1] would disagree. I just tested this with 1.10.5 and
>>> it worked as documented:
>>
>> Whoops, yes, you're right, I made a false assumption.
>
> Does anyone know why dumpcap, tshark and Wireshark read from a pipe using
> "-i -" and not "-r -"? It seems more intuitive to me to use "-r" than "-i"
> and it would match tcpdump's syntax[1]. I suppose either "-r -" or "-i -"
> could be allowed?
>
> - Chris
>
> [1]: http://www.tcpdump.org/tcpdump_man.html
>