mozillazg · mozillazg · Feb 22, 2025 · Feb 21, 2025
diff --git a/README.md b/README.md
@@ -334,7 +334,7 @@ Flags:
 | -w *x.pcap*                                       | ✅       | ✅ (without process info) |
 | -w *-*                                            | ✅       | ✅                        |
 | -r *x.pcapng*, -r *x.pcap*                        | ✅       | ✅                        |
-| -r *-*                                            | ✅       |                          |
+| -r *-*                                            | ✅       | ✅                        |
 | --pid *process_id*                                |         | ✅                        |
 | --pname *process_name*                            |         | ✅                        |
 | --uid *user_id*                                   |         | ✅                        |
@@ -343,7 +343,6 @@ Flags:
 | --pod-name *pod_name.namespace*                   |         | ✅                        |
 | -f, --follow-forks                                |         | ✅                        |
 | -- *command [args]*                               |         | ✅                        |
-| --oneline                                         |         | ✅                        |
 | --netns *path_to_net_ns*                          |         | ✅                        |
 | --print                                           | ✅       | ✅                        |
 | -c *count*                                        | ✅       | ✅                        |

diff --git a/README.zh-CN.md b/README.zh-CN.md
@@ -337,15 +337,14 @@ Flags:
 | -w *x.pcap*                                       | ✅       | ✅ (without process info) |
 | -w *-*                                            | ✅       | ✅                        |
 | -r *x.pcapng*, -r *x.pcap*                        | ✅       | ✅                        |
-| -r *-*                                            | ✅       |                          |
+| -r *-*                                            | ✅       | ✅                        |
 | --pid *process_id*                                |         | ✅                        |
 | --pname *process_name*                            |         | ✅                        |
 | --container-id *container_id*                     |         | ✅                        |
 | --container-name *container_name*                 |         | ✅                        |
 | --pod-name *pod_name.namespace*                   |         | ✅                        |
 | -f, --follow-forks                                |         | ✅                        |
 | -- *command [args]*                               |         | ✅                        |
-| --oneline                                         |         | ✅                        |
 | --netns *path_to_net_ns*                          |         | ✅                        |
 | --print                                           | ✅       | ✅                        |
 | -c *count*                                        | ✅       | ✅                        |

diff --git a/cmd/read.go b/cmd/read.go
@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -10,28 +11,39 @@ import (
 	"github.com/mozillazg/ptcpdump/internal/log"
 	"github.com/mozillazg/ptcpdump/internal/metadata"
 	"github.com/mozillazg/ptcpdump/internal/parser"
+	"github.com/mozillazg/ptcpdump/internal/types"
+	"github.com/mozillazg/ptcpdump/internal/utils"
 	"github.com/mozillazg/ptcpdump/internal/writer"
 )
 
 func read(ctx context.Context, opts *Options) error {
 	fpath := opts.ReadPath()
-	log.Warnf("reading from file %s", fpath)
-
-	f, err := os.Open(fpath)
+	f, err := getReader(opts)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
+	dataType, err := utils.DetectPcapDataType(f)
+	if err != nil {
+		return err
+	}
 
 	var p parser.Parser
 	pcache := metadata.NewProcessCache()
 	stdoutWriter := writer.NewStdoutWriter(opts.getStdout(), pcache)
 	opts.applyToStdoutWriter(stdoutWriter)
 
 	ext := filepath.Ext(fpath)
-	switch ext {
-	case extPcap:
-		pr, err := parser.NewPcapParser(f)
+	switch {
+	case ext == extPcap, dataType == types.PcapDataTypePcap:
+		r, ok, err := f.File()
+		if !ok {
+			if err != nil {
+				log.Infof("%v", err)
+			}
+			return errors.New("unsupported data source for the pcap format")
+		}
+		pr, err := parser.NewPcapParser(r)
 		if err != nil {
 			return err
 		}
@@ -68,3 +80,24 @@ func read(ctx context.Context, opts *Options) error {
 
 	return nil
 }
+
+func getReader(opts *Options) (*types.ReadBuffer, error) {
+	fpath := opts.ReadPath()
+	log.Warnf("reading from file %s", fpath)
+
+	var r *types.ReadBuffer
+
+	switch fpath {
+	case "-":
+		r = types.NewReadBuffer(io.NopCloser(os.Stdin))
+		break
+	default:
+		f, err := os.Open(fpath)
+		if err != nil {
+			return nil, err
+		}
+		r = types.NewReadBuffer(f)
+	}
+
+	return r, nil
+}
diff --git a/cmd/read_test.go b/cmd/read_test.go
@@ -23,6 +23,13 @@ func TestFormat(t *testing.T) {
 			},
 			expectedOutFile: "../testdata/format/tcp.pcapng.out.txt",
 		},
+		{
+			name: "pcapng file detect",
+			opts: &Options{
+				readFilePath: "../testdata/format/tcp.pcapng.unknown",
+			},
+			expectedOutFile: "../testdata/format/tcp.pcapng.out.txt",
+		},
 		{
 			name: "tcp -c",
 			opts: &Options{
@@ -117,6 +124,13 @@ func TestFormat(t *testing.T) {
 			},
 			expectedOutFile: "../testdata/format/udp.pcap.out.txt",
 		},
+		{
+			name: "pcap file detect",
+			opts: &Options{
+				readFilePath: "../testdata/format/udp.pcap.unknown",
+			},
+			expectedOutFile: "../testdata/format/udp.pcap.out.txt",
+		},
 		{
 			name: "udp dns",
 			opts: &Options{

diff --git a/internal/types/io.go b/internal/types/io.go
@@ -0,0 +1,43 @@
+package types
+
+import (
+	"bufio"
+	"io"
+	"os"
+)
+
+func NewReadBuffer(r io.ReadCloser) *ReadBuffer {
+	return &ReadBuffer{
+		r:   r,
+		buf: bufio.NewReader(r),
+	}
+}
+
+type ReadBuffer struct {
+	r   io.Closer
+	buf *bufio.Reader
+}
+
+func (r *ReadBuffer) Read(p []byte) (int, error) {
+	return r.buf.Read(p)
+}
+
+func (r *ReadBuffer) Peek(n int) ([]byte, error) {
+	return r.buf.Peek(n)
+}
+
+func (r *ReadBuffer) Close() error {
+	return r.r.Close()
+}
+
+func (r *ReadBuffer) File() (*os.File, bool, error) {
+	f, ok := r.r.(*os.File)
+	if !ok {
+		return nil, false, nil
+	}
+	_, err := f.Seek(0, io.SeekStart)
+	if err != nil {
+		return nil, false, err
+	}
+	return f, true, nil
+}
diff --git a/internal/types/pcap.go b/internal/types/pcap.go
@@ -0,0 +1,12 @@
+package types
+
+type PcapDataType string
+
+const (
+	PcapDataTypePcap   PcapDataType = "pcap"
+	PcapDataTypePcapNg PcapDataType = "pcapng"
+
+	PcapMagicNumberForMicrosecond = 0xA1B2C3D4
+	PcapMagicNumberForNanosecond  = 0xA1B23C4D
+	PcapNgMagicNumber             = 0x0A0D0D0A
+)
diff --git a/internal/utils/pcap.go b/internal/utils/pcap.go
@@ -0,0 +1,25 @@
+package utils
+
+import (
+	"encoding/binary"
+
+	"github.com/mozillazg/ptcpdump/internal/types"
+)
+
+func DetectPcapDataType(r *types.ReadBuffer) (types.PcapDataType, error) {
+	// read the first 4 bytes of the file
+	header, err := r.Peek(4)
+	if err != nil {
+		return "", err
+	}
+
+	magicNumber := binary.LittleEndian.Uint32(header)
+	switch magicNumber {
+	case types.PcapMagicNumberForMicrosecond, types.PcapMagicNumberForNanosecond:
+		return types.PcapDataTypePcap, nil
+	case types.PcapNgMagicNumber:
+		return types.PcapDataTypePcapNg, nil
+	}
+
+	return "", nil
+}
diff --git a/testdata/format/tcp.pcapng.unknown b/testdata/format/tcp.pcapng.unknown
diff --git a/testdata/format/udp.pcap.unknown b/testdata/format/udp.pcap.unknown
diff --git a/testdata/test_base.sh b/testdata/test_base.sh
@@ -33,6 +33,9 @@ function test_ptcpdump_read() {
     timeout 30s ${CMD} -v -r "${FNAME}" |tee "${RNAME}"
     cat "${RNAME}" | grep '/usr/bin/curl'
     cat "${RNAME}" | grep -F ' > 1.1.1.1.80: Flags [S],'   # SYN
+
+    cat "${FNAME}" | ${CMD} -v -r - |grep '/usr/bin/curl'
+    cat "${FNAME}" | ${CMD} -v -r - |grep -F ' > 1.1.1.1.80: Flags [S],'   # SYN
 }
 
 function main() {