Wireshark-dev: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
From: Roland Knall <rknall@xxxxxxxxx>
Date: Tue, 1 Feb 2022 13:26:15 +0100
Guy already has updated the documentation yesterday and today a bit on the commandline. But the online manuals could be updated
Am Di., 1. Feb. 2022 um 13:15 Uhr schrieb Jaap Keuter <jaap.keuter@xxxxxxxxx>:
Hi,___________________________________________________________________________Cool that this works as intended / expected.All that is left now, as Guy indicated, is to document this properly.Chuck, feeling up to it? ;)Thanks,JaapOn 1 Feb 2022, at 12:18, Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx> wrote:Thank you Guy and Chuck!Adding a Pipe interface with the path "[email protected]:57012" worked, and so did running "wireshark -k -i [email protected]:57012"! I've now verified that this feature can be used to read PCAP from a TCP socket in both Windows and Linux. This is exactly what I was hoping for! Replacing 127.0.0.1 with localhost didn't work for some reason though. I just get an error message saying that "TCP@localhost:57012" is not a valid socket specification.I was delighted to see that tshark also reads the pcap stream nicely when I run it like this:tshark -i [email protected]:57012I've also verified that I can read the PCAP stream from a remote IP instead of just 127.0.0.1.Thank you for your great work!___________________________________________________________________________Den tis 1 feb. 2022 kl 04:28 skrev chuck c <bubbasnmp@xxxxxxxxx>:"A TCP stream is treated as like data from other pipes and the same restrictions apply.On each new connection the TCP server must send the header blocks as specified by libpcap or pcapng before any packet captures.TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark."___________________________________________________________________________On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <gharris@xxxxxxxxx> wrote:On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelmvik@xxxxxxxxx> wrote:
> Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream over a TCP socket.
>
> Currently, the best solution to read PCAP-over-IP in Wireshark is by using netcat to read the PCAP stream and forward it to Wireshark's STDIN like this:
> nc localhost | wireshark -k -i -
So this means "stream a pcap file to Wireshark and have it read it as a live capture".
Wireshark - well, dumpcap, which does the capturing - has supported capturing from a pipe for a while.
Support for capturing from a TCP socket was added at some point; the man page doesn't document it all that well:
−i|−−interface <capture interface>|rpcap://<host>:<port>/<capture
interface>|TCP@<host>:<port>|−
Set the name of the network interface or pipe to use for live
packet capture.
Network interface names should match one of the names listed in
"dumpcap −D" (described above); a number, as reported by "dumpcap
−D", can also be used. If you’re using UNIX, "netstat −i", ied,
"ifconfig −a" or "ip link" might also work to list interface names,
although not all versions of UNIX support the −a option to
ifconfig.
If no interface is specified, Dumpcap searches the list of
interfaces, choosing the first non−loopback interface if there are
any non−loopback interfaces, and choosing the first loopback
interface if there are no non−loopback interfaces. If there are no
interfaces at all, Dumpcap reports an error and doesn’t start theg
capture.
Pipe names should be either the name of a FIFO (named pipe) or "−"
to read data from the standard input. On Windows systems, pipe
names must be of the form "\\pipe\.*pipename*". Data read from
pipes must be in standard pcapng or pcap format. Pcapng data must
have the same endianness as the capturing host.
It mentions "TCP@<host>:<port>" in the line describing the interface, but doesn't say what it means.
So try
wireshark -k -i TCP@localhost:57012
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- From: Guy Harris
- Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- From: chuck c
- Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- From: Erik Hjelmvik
- Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- From: Jaap Keuter
- Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- Prev by Date: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- Next by Date: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- Previous by thread: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- Next by thread: Re: [Wireshark-dev] PCAP-over-IP in Wireshark?
- Index(es):