Wireshark mailing list archives
Re: PCAP-over-IP in Wireshark?
From: Erik Hjelmvik <erik.hjelmvik () gmail com>
Date: Mon, 31 Jan 2022 19:52:35 +0100
Hi Dario, Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my requirements. Wrapping captured packets inside of UDP packets or IP packets (as in ERSPAN) to allow remote sniffing is an attractive solution, but it comes with several drawbacks. Some of these drawbacks include difficulties in handling captured packets that exceed the MTU between sniffer and collector, how to preserve timestamps from the original capture source etc. Transmitting packets over a TCP connection has a few drawbacks as well, but it's a method that has served me very well over the years. As of now, I'd say that the primary drawback of using PCAP-over-IP (which really should be called "PCAP-over-TCP") is that Wireshark/tshark can't read this data natively without having to use netcat as a shim between the TCP socket and Wireshar/tshark. I was hoping that there was an extcap solution for this, but I'm guessing I might be out of luck there :( /erik Den mån 31 jan. 2022 kl 14:02 skrev Dario Lombardo <lomato () gmail com>:
You can have a look at udpdump, which doesn't use TCP but UDP, but it may fit your purpose. On Mon, Jan 31, 2022 at 1:57 PM Erik Hjelmvik <erik.hjelmvik () gmail com> wrote:Hello folks, Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream over a TCP socket. Currently, the best solution to read PCAP-over-IP in Wireshark is by using netcat to read the PCAP stream and forward it to Wireshark's STDIN like this: nc localhost 57012 | wireshark -k -i - But it would be much nicer if this data could be read directly without having to use netcat. Maybe as an extcap interface? Best regards, Erik ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe-- Naima is online. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Dario Lombardo (Jan 31)
- Re: PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Roland Knall (Jan 31)
- Re: PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Roland Knall (Jan 31)
- Re: PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Dario Lombardo (Jan 31)
- Re: PCAP-over-IP in Wireshark? chuck c (Jan 31)