Hello everyone!

I want to monitor my network using wireshark 's tshark command line tool.
What i want to accomplish is to redirect tshark's output to a c++ application, so i can examine data and output a more comprehensive analysis without keeping a huge amount of data.

I am working on windows, and usually code in mfc. So i would like any info on how to get the command line stream into my program, in order to analyze it.

Anyway, all i want, is tips on how to get a continuous stream of data from a command line application.

Any help appreciated.
Thanks!

Recommended Answers

All 4 Replies

If you want to pipe/redirect the output of tshark to your program then your program only needs to read from standard input (std::cin). You will have to be cognizant of the format of the stream you are reading - which will change depending on the flags given to tshark.

I am sorry but could you be more specific please?

Do you suggest that i execute it like that :

> thsark -parameters | MyApplication.exe

so i can redirect tsharks ouput to my application?

The thing that bothers me mostly is how i can keep the continuous stream of tshark' s data open and read from it without closing the pipe or whatever connects them even once in while, and thus loosing data...?

I can't figure it out in my head. I am looking for an algorithmic approach, not a coding practice. Sorry if i wasn't clear enough.

By the way i found a nice example on pipe-ing. Anyone interested in the subject could read it:

Microsoft : Standard Input/Output Redirection

All of the plumbing of the pipe will be managed for you. As long as the tshark process is running and producing output your program will still be able to read from standard input. In fact, even if tshark takes a long time to produce output your program should just block while trying to read from the stream.
I'm not sure what problem you are having. Perhaps you could write a sample of MyApplication.exe that only reads the input and prints it. Something like

std::string input;
while (std::cin >> input) 
   std::cout << input;

That way you could see what behavior you get compared to what you are expecting.

Actually i have found a great class which does what i want here :
Redirecting an arbitrary Console's Input/Output

I have tested it with thsark and it seems pretty robust.
It uses pipes to redirect both stdin and stdout of a process that is created as a child.

Haven't fully understood yet how the waiting/buffering system works between the parent - child processes but it seems that the parent waits until the console can send it's output.

When i set tshark's output to packet mode (each packet is flushed by itself) then after each packet, the console passes the handling to the parent which is free to do whatever computing necessary.

If set tshark's output to continuous stream mode, then the console passes the handling to the parent when a certain buffer (this is what i didn't understand yet) is full and the console's output is forced to be flushed.

The size of that buffer is little more than 4Kbytes (!?), and here is an article that describes how it works :
CreateNamedPipe function

Just wanted to share the above knowledge to anyone interested in the topic.
Any comments on the buffering system are still welcome, though i found my solution.

Thanks for helping me out!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.