Wireshark-dev: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?

From: Roland Knall <rknall@xxxxxxxxx>
Date: Mon, 31 Jan 2022 20:38:24 +0100
If udpdump is nothing for you, and you are able to run a capture tool like tshark or tcpdump on the remote machine, you can take a look at sshdump. A sibling of udpdump, it executes the remote capture program via ssh, and then transports the data as-is through a ssh-connection. It can be seen as a simple capture device on the host pc. 

Roland

Am Mo., 31. Jan. 2022 um 19:53 Uhr schrieb Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx>:
Hi Dario,

Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my requirements. Wrapping captured packets inside of UDP packets or IP packets (as in ERSPAN) to allow remote sniffing is an attractive solution, but it comes with several drawbacks. Some of these drawbacks include difficulties in handling captured packets that exceed the MTU between sniffer and collector, how to preserve timestamps from the original capture source etc. Transmitting packets over a TCP connection has a few drawbacks as well, but it's a method that has served me very well over the years.

As of now, I'd say that the primary drawback of using PCAP-over-IP (which really should be called  "PCAP-over-TCP") is that Wireshark/tshark can't read this data natively without having to use netcat as a shim between the TCP socket and Wireshar/tshark. I was hoping that there was an extcap solution for this, but I'm guessing I might be out of luck there :(

/erik

Den mån 31 jan. 2022 kl 14:02 skrev Dario Lombardo <lomato@xxxxxxxxx>:
You can have a look at udpdump, which doesn't use TCP but UDP, but it may fit your purpose.

On Mon, Jan 31, 2022 at 1:57 PM Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx> wrote:
Hello folks,

Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream over a TCP socket.

Currently, the best solution to read PCAP-over-IP in Wireshark is by using netcat to read the PCAP stream and forward it to Wireshark's STDIN like this:
nc localhost 57012 | wireshark -k -i -

But it would be much nicer if this data could be read directly without having to use netcat. Maybe as an extcap interface?

Best regards,
Erik
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


--
Naima is online.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe