The situation: tcpdump is running pretty much continuously on one of your boxes, busily snooping the traffic. The resulting pcap file is huge, and you like it that way.

The task: you want to analyze the current traffic using Wireshark, which is not installed on the box tcpdump is running on. Even X11 is not there, and again, you would like to keep it that way.

The problem: copying the whole file to your desktop machine is an option, but it will take too long. Running another instance of tcpdump and piping its output to Wireshark on your desktop machine would work, but you don't like it, since the data is already there, and it is nice to use what you have.

The solution: download and compile the pcaptail little program. Run it with the pcap file name as the only parameter. It will behave like tail -f but on the level of individual packets. Then you can feed its output to an instance of wireshark on your desktop machine.

Enjoy. It's an ugly hack, but you can still enjoy it.

P.S. Long time no C. :-)