I have a custom sniffer, which produces output in pcapng format. I launch it like that:
<sniffer launch line> | tee out.pcapng | tshark -Tpdml -i -expecting to have a pdml output in stdout. Generally it works, but sometimes the following happens: after the first packet was written to stdout by sniffer, tshark just reports 0 packets captured and closes. At the same time the out.pcapng appears to be valid and successfully can be opened with wireshark.
Moreover, when I try cat out.pcapng | tshark -Tpdml -i -, it would handle the input successfully in 90% of launches, but would still fail sometimes.
It seems, that changing tshark flag from -i to -r helps, but I'm not sure if it solves the problem or just make it appear less often. And anyway, I'd be pleased to know what actually happens there. Launching tsahrk with stdbuf -o 0 tshark ... doesn't help.
An example of problematic .pcapng file: https://drive.google.com/file/d/1GS41yti0zs5-ZT5bgRNYslIQW1q_fDfQ/view?usp=sharing
Version of Tshark: TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)