Wireshark-dev: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx>
Date: Mon, 31 Jan 2022 19:52:35 +0100
Hi Dario,

Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my requirements. Wrapping captured packets inside of UDP packets or IP packets (as in ERSPAN) to allow remote sniffing is an attractive solution, but it comes with several drawbacks. Some of these drawbacks include difficulties in handling captured packets that exceed the MTU between sniffer and collector, how to preserve timestamps from the original capture source etc. Transmitting packets over a TCP connection has a few drawbacks as well, but it's a method that has served me very well over the years.

As of now, I'd say that the primary drawback of using PCAP-over-IP (which really should be called  "PCAP-over-TCP") is that Wireshark/tshark can't read this data natively without having to use netcat as a shim between the TCP socket and Wireshar/tshark. I was hoping that there was an extcap solution for this, but I'm guessing I might be out of luck there :(

/erik

Den mån 31 jan. 2022 kl 14:02 skrev Dario Lombardo <lomato@xxxxxxxxx>:
You can have a look at udpdump, which doesn't use TCP but UDP, but it may fit your purpose.

On Mon, Jan 31, 2022 at 1:57 PM Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx> wrote:
Hello folks,

Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream over a TCP socket.

Currently, the best solution to read PCAP-over-IP in Wireshark is by using netcat to read the PCAP stream and forward it to Wireshark's STDIN like this:
nc localhost 57012 | wireshark -k -i -

But it would be much nicer if this data could be read directly without having to use netcat. Maybe as an extcap interface?

Best regards,
Erik
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


-- 
Naima is online.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe