Add the solution to Kevin's growing file issue to the FAQ

This can be handled with tail and a pipe. But this solution does still have a downside - termshark will read the live capture and write the packets out under ~/.cache/termshark/pcaps/ - so the file will exist twice on disk. It would be nicer if termshark could avoid that. An idea that I haven't fleshed out yet is to be able to just run $ termshark -r foo.pcap and have termshark detect if the file is likely to grow e.g. by using something like fuser to indicate something else has it open for write (this wouldn't work if permissions didn't line up). If it's detected to be "live", then I can use termshark's internal mechanism to handle foo.pcap in the same way as I'd handle the output of tshark -i if termshark was reading from an interface.
gcla · Jan 22, 2021 · 3ac7501 · 3ac7501
1 parent c4bda87
commit 3ac7501
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/docs/FAQ.md b/docs/FAQ.md
@@ -11,6 +11,7 @@
 * [What settings affect termshark's colors?](#what-settings-affect-termsharks-colors)
 * [How do I rebuild termshark?](#how-do-i-rebuild-termshark)
 * [Where are the config and log files?](#where-are-the-config-and-log-files)
+* [I'm capturing with tcpdump. Can termshark treat that pcap like a live capture?]
 * [The console is too narrow on Windows](#the-console-is-too-narrow-on-windows)
 * [Can I pass extra arguments to tshark?](#can-i-pass-extra-arguments-to-tshark)
 * [How does termshark use tshark?](#how-does-termshark-use-tshark)
@@ -178,6 +179,15 @@ You can find the log file, `termshark.log`, in:
 - `${HOME}/Library/Caches/termshark/` on macOS
 - `%LOCALAPPDATA%\termshark\` `(C:\Users\<User>\AppData\Local\termshark\)` on Windows
 
+## I'm capturing with tcpdump. Can termshark treat that pcap like a live capture?
+
+Yes, at least on Unix systems. Try this:
+
+```bash
+shell1$ tcpdump -i eth0 -w foo.pcap
+shell2$ tail -f -c +0 foo.pcap | termshark
+```
+
 ## The console is too narrow on Windows
 
 Unfortunately, the standard console window won't let you increase its size beyond its initial bounds using the mouse. To work around this, after termshark starts, right-click on the window title and select "Properties". Click "Layout" and then adjust the "Window Size" settings. When you quit termshark, your console window will be restored to its original size.