Wireshark mailing list archives
Re: PCAP-over-IP in Wireshark?
From: Guy Harris <gharris () sonic net>
Date: Mon, 31 Jan 2022 16:18:46 -0800
On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelmvik () gmail com> wrote:
Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream over a TCP socket. Currently, the best solution to read PCAP-over-IP in Wireshark is by using netcat to read the PCAP stream and forward it to Wireshark's STDIN like this: nc localhost | wireshark -k -i -
So this means "stream a pcap file to Wireshark and have it read it as a live capture". Wireshark - well, dumpcap, which does the capturing - has supported capturing from a pipe for a while. Support for capturing from a TCP socket was added at some point; the man page doesn't document it all that well: −i|−−interface <capture interface>|rpcap://<host>:<port>/<capture interface>|TCP@<host>:<port>|− Set the name of the network interface or pipe to use for live packet capture. Network interface names should match one of the names listed in "dumpcap −D" (described above); a number, as reported by "dumpcap −D", can also be used. If you’re using UNIX, "netstat −i", ied, "ifconfig −a" or "ip link" might also work to list interface names, although not all versions of UNIX support the −a option to ifconfig. If no interface is specified, Dumpcap searches the list of interfaces, choosing the first non−loopback interface if there are any non−loopback interfaces, and choosing the first loopback interface if there are no non−loopback interfaces. If there are no interfaces at all, Dumpcap reports an error and doesn’t start theg capture. Pipe names should be either the name of a FIFO (named pipe) or "−" to read data from the standard input. On Windows systems, pipe names must be of the form "\\pipe\.*pipename*". Data read from pipes must be in standard pcapng or pcap format. Pcapng data must have the same endianness as the capturing host. It mentions "TCP@<host>:<port>" in the line describing the interface, but doesn't say what it means. So try wireshark -k -i TCP@localhost:57012 ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Dario Lombardo (Jan 31)
- Re: PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Roland Knall (Jan 31)
- Re: PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Roland Knall (Jan 31)
- Re: PCAP-over-IP in Wireshark? Erik Hjelmvik (Jan 31)
- Re: PCAP-over-IP in Wireshark? Dario Lombardo (Jan 31)
- Re: PCAP-over-IP in Wireshark? chuck c (Jan 31)