From 3ac7501a79491ead30461093ca9b71a4a7990c2e Mon Sep 17 00:00:00 2001 From: Graham Clark Date: Fri, 22 Jan 2021 15:30:34 -0500 Subject: [PATCH] Add the solution to Kevin's growing file issue to the FAQ This can be handled with tail and a pipe. But this solution does still have a downside - termshark will read the live capture and write the packets out under ~/.cache/termshark/pcaps/ - so the file will exist twice on disk. It would be nicer if termshark could avoid that. An idea that I haven't fleshed out yet is to be able to just run $ termshark -r foo.pcap and have termshark detect if the file is likely to grow e.g. by using something like fuser to indicate something else has it open for write (this wouldn't work if permissions didn't line up). If it's detected to be "live", then I can use termshark's internal mechanism to handle foo.pcap in the same way as I'd handle the output of tshark -i if termshark was reading from an interface. --- docs/FAQ.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/FAQ.md b/docs/FAQ.md index 58fcf33..866d513 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -11,6 +11,7 @@ * [What settings affect termshark's colors?](#what-settings-affect-termsharks-colors) * [How do I rebuild termshark?](#how-do-i-rebuild-termshark) * [Where are the config and log files?](#where-are-the-config-and-log-files) +* [I'm capturing with tcpdump. Can termshark treat that pcap like a live capture?] * [The console is too narrow on Windows](#the-console-is-too-narrow-on-windows) * [Can I pass extra arguments to tshark?](#can-i-pass-extra-arguments-to-tshark) * [How does termshark use tshark?](#how-does-termshark-use-tshark) @@ -178,6 +179,15 @@ You can find the log file, `termshark.log`, in: - `${HOME}/Library/Caches/termshark/` on macOS - `%LOCALAPPDATA%\termshark\` `(C:\Users\\AppData\Local\termshark\)` on Windows +## I'm capturing with tcpdump. Can termshark treat that pcap like a live capture? + +Yes, at least on Unix systems. Try this: + +```bash +shell1$ tcpdump -i eth0 -w foo.pcap +shell2$ tail -f -c +0 foo.pcap | termshark +``` + ## The console is too narrow on Windows Unfortunately, the standard console window won't let you increase its size beyond its initial bounds using the mouse. To work around this, after termshark starts, right-click on the window title and select "Properties". Click "Layout" and then adjust the "Window Size" settings. When you quit termshark, your console window will be restored to its original size.