Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCAP-over-IP in Wireshark?

From: chuck c <bubbasnmp () gmail com>
Date: Tue, 1 Feb 2022 09:24:28 -0600
"Replacing 127.0.0.1 with localhost didn't work for some reason though."

dumpcap (
https://gitlab.com/wireshark/wireshark/-/blob/master/dumpcap.c#L1366) calls
ws_socket_ptoa (
https://gitlab.com/wireshark/wireshark/-/blob/master/wsutil/socket.h#L72)
which expects an IP address.

 * Convert the strings ipv4_address:port or [ipv6_address]:port to a
 * sockaddr object.

That matches the description on the wiki entry:
https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket
"... using the -i TCP@<addr>[:port] option."

I'm not sure it's worth making a name resolution call. Maybe better to
update the docs and usage to "<addr"> instead of "<host>"?


On Tue, Feb 1, 2022 at 5:18 AM Erik Hjelmvik <erik.hjelmvik () gmail com>
wrote:


Thank you Guy and Chuck!

Adding a Pipe interface with the path "TCP@127.0.0.1:57012" worked, and
so did running "wireshark -k -i TCP@127.0.0.1:57012"! I've now verified
that this feature can be used to read PCAP from a TCP socket in both
Windows and Linux. This is exactly what I was hoping for! Replacing
127.0.0.1 with localhost didn't work for some reason though. I just get an
error message saying that "TCP@localhost:57012" is not a valid socket
specification.

I was delighted to see that tshark also reads the pcap stream nicely when
I run it like this:
tshark -i TCP@127.0.0.1:57012

I've also verified that I can read the PCAP stream from a remote IP
instead of just 127.0.0.1.

Thank you for your great work!

Den tis 1 feb. 2022 kl 04:28 skrev chuck c <bubbasnmp () gmail com>:


https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket

"A TCP stream is treated as like data from other pipes and the same
restrictions apply.
On each new connection the TCP server must send the header blocks as
specified by libpcap or pcapng before any packet captures.
TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage
Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark."

On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <gharris () sonic net> wrote:


On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelmvik () gmail com>
wrote:


Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP

stream over a TCP socket.


Currently, the best solution to read PCAP-over-IP in Wireshark is by

using netcat to read the PCAP stream and forward it to Wireshark's STDIN
like this:

nc localhost | wireshark -k -i -


So this means "stream a pcap file to Wireshark and have it read it as a
live capture".

Wireshark - well, dumpcap, which does the capturing - has supported
capturing from a pipe for a while.

Support for capturing from a TCP socket was added at some point; the man
page doesn't document it all that well:

       −i|−−interface  <capture interface>|rpcap://<host>:<port>/<capture
       interface>|TCP@<host>:<port>|−

           Set the name of the network interface or pipe to use for live
           packet capture.

           Network interface names should match one of the names listed
in
           "dumpcap −D" (described above); a number, as reported by
"dumpcap
           −D", can also be used. If you’re using UNIX, "netstat −i",
 ied,
           "ifconfig −a" or "ip link" might also work to list interface
names,
           although not all versions of UNIX support the −a option to
           ifconfig.

           If no interface is specified, Dumpcap searches the list of
           interfaces, choosing the first non−loopback interface if
there are
           any non−loopback interfaces, and choosing the first loopback
           interface if there are no non−loopback interfaces. If there
are no
           interfaces at all, Dumpcap reports an error and doesn’t start
theg
           capture.

           Pipe names should be either the name of a FIFO (named pipe)
or "−"
           to read data from the standard input. On Windows systems,
pipe
           names must be of the form "\\pipe\.*pipename*". Data read from
           pipes must be in standard pcapng or pcap format. Pcapng data
must
           have the same endianness as the capturing host.

It mentions "TCP@<host>:<port>" in the line describing the interface,
but doesn't say what it means.

So try

    wireshark -k -i TCP@localhost:57012


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: