Wireshark-dev: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 31 Jan 2022 16:18:46 -0800
On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx> wrote:

> Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream over a TCP socket.
> 
> Currently, the best solution to read PCAP-over-IP in Wireshark is by using netcat to read the PCAP stream and forward it to Wireshark's STDIN like this:
> nc localhost | wireshark -k -i -

So this means "stream a pcap file to Wireshark and have it read it as a live capture".

Wireshark - well, dumpcap, which does the capturing - has supported capturing from a pipe for a while.

Support for capturing from a TCP socket was added at some point; the man page doesn't document it all that well:

       −i|−−interface  <capture interface>|rpcap://<host>:<port>/<capture
       interface>|TCP@<host>:<port>|−
       
           Set the name of the network interface or pipe to use for live
           packet capture.
       
           Network interface names should match one of the names listed in
           "dumpcap −D" (described above); a number, as reported by "dumpcap
           −D", can also be used. If you’re using UNIX, "netstat −i",   ied,
           "ifconfig −a" or "ip link" might also work to list interface names,
           although not all versions of UNIX support the −a option to
           ifconfig.
       
           If no interface is specified, Dumpcap searches the list of
           interfaces, choosing the first non−loopback interface if there are
           any non−loopback interfaces, and choosing the first loopback
           interface if there are no non−loopback interfaces. If there are no
           interfaces at all, Dumpcap reports an error and doesn’t start theg
           capture.
           
           Pipe names should be either the name of a FIFO (named pipe) or "−"
           to read data from the standard input. On Windows systems, pipe   
           names must be of the form "\\pipe\.*pipename*". Data read from
           pipes must be in standard pcapng or pcap format. Pcapng data must
           have the same endianness as the capturing host.

It mentions "TCP@<host>:<port>" in the line describing the interface, but doesn't say what it means.

So try

    wireshark -k -i TCP@localhost:57012