Wireshark-users: Re: [Wireshark-users] [HELP] How to send bytes to wireshark on runtime

From: Satish Chandra <satishchandracms@xxxxxxxxx>
Date: Fri, 5 Jun 2009 08:58:01 +0530
Hi,

Thanks for the information. Well, I have run wireshark many times and as far as I know...we can only set the interface from where to capture the packet. How to set it to capture the packet from the Pipe ?

I don't want to use the wireshark's command-line options. I want that everything can be done using the wireshark gui.

Thanks,
Satish

On Fri, Jun 5, 2009 at 4:56 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jun 4, 2009, at 12:48 PM, Satish Chandra wrote:

> I don't know how the output from dumpcap goes to wireshark. I wish
> to replace dumpcap with my utility and want wireshark to decode the
> byte stream on run-time.

In other words, you want to do a live capture of packets from some
source other than libpcap/WinPcap.

When doing a live capture in Wireshark (or TShark), whenever a set of
packets arrives, dumpcap writes them to a pcap-format capture file
sends to Wireshark (or TShark) a message saying that some number of
packets have arrived.

A pcap-format file is, in some sense, a byte stream, as *all* files on
UN*X or Windows (except for "special files" on UN*X) are, ultimately,
(seekable) byte streams.  However, as is the case with most non-text
files, the byte stream has a certain structure to it; it's not just a
raw byte stream.

The format of the messages sent over the pipe between Wireshark/TShark
and dumpcap is subject to change (and probably *will* change over
time).  I would not recommend trying to replace dumpcap at this point.

Instead, what I would recommend that you do is to have your utility
write pcap-format files to a named pipe, and, in Wireshark, capture
from a "device" that is the named pipe.  For example, on UN*X, you
could create a temporary named pipe "capturepipe" in /tmp:

       mkfifo /tmp/capturepipe

and then:

       start your program and have it write a pcap-format file header,
followed by the sequence of packets in pcap-file format, to that pipe;

       start up Wireshark and have it capture from "/tmp/capturepipe".

I don't know how that would be done on Windows, but there might be
similar things one could do with named pipes.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Satish Chandra