Guy already has updated the documentation yesterday and today a bit on the commandline. But the online manuals could be updated
Am Di., 1. Feb. 2022 um 13:15 Uhr schrieb Jaap Keuter <jaap.keu...@xs4all.nl >: > Hi, > > Cool that this works as intended / expected. > All that is left now, as Guy indicated, is to document this properly. > Chuck, feeling up to it? ;) > > Thanks, > Jaap > > > On 1 Feb 2022, at 12:18, Erik Hjelmvik <erik.hjelm...@gmail.com> wrote: > > Thank you Guy and Chuck! > > Adding a Pipe interface with the path "TCP@127.0.0.1:57012" worked, and > so did running "wireshark -k -i TCP@127.0.0.1:57012"! I've now verified > that this feature can be used to read PCAP from a TCP socket in both > Windows and Linux. This is exactly what I was hoping for! Replacing > 127.0.0.1 with localhost didn't work for some reason though. I just get an > error message saying that "TCP@localhost:57012" is not a valid socket > specification. > > I was delighted to see that tshark also reads the pcap stream nicely when > I run it like this: > tshark -i TCP@127.0.0.1:57012 > > I've also verified that I can read the PCAP stream from a remote IP > instead of just 127.0.0.1. > > Thank you for your great work! > > Den tis 1 feb. 2022 kl 04:28 skrev chuck c <bubbas...@gmail.com>: > >> https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket >> >> "A TCP stream is treated as like data from other pipes and the same >> restrictions apply. >> On each new connection the TCP server must send the header blocks as >> specified by libpcap or pcapng before any packet captures. >> TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage >> Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark." >> >> On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <ghar...@sonic.net> wrote: >> >>> On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelm...@gmail.com> >>> wrote: >>> >>> > Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP >>> stream over a TCP socket. >>> > >>> > Currently, the best solution to read PCAP-over-IP in Wireshark is by >>> using netcat to read the PCAP stream and forward it to Wireshark's STDIN >>> like this: >>> > nc localhost | wireshark -k -i - >>> >>> So this means "stream a pcap file to Wireshark and have it read it as a >>> live capture". >>> >>> Wireshark - well, dumpcap, which does the capturing - has supported >>> capturing from a pipe for a while. >>> >>> Support for capturing from a TCP socket was added at some point; the man >>> page doesn't document it all that well: >>> >>> −i|−−interface <capture interface>|rpcap://<host>:<port>/<capture >>> interface>|TCP@<host>:<port>|− >>> >>> Set the name of the network interface or pipe to use for live >>> packet capture. >>> >>> Network interface names should match one of the names listed >>> in >>> "dumpcap −D" (described above); a number, as reported by >>> "dumpcap >>> −D", can also be used. If you’re using UNIX, "netstat −i", >>> ied, >>> "ifconfig −a" or "ip link" might also work to list interface >>> names, >>> although not all versions of UNIX support the −a option to >>> ifconfig. >>> >>> If no interface is specified, Dumpcap searches the list of >>> interfaces, choosing the first non−loopback interface if >>> there are >>> any non−loopback interfaces, and choosing the first loopback >>> interface if there are no non−loopback interfaces. If there >>> are no >>> interfaces at all, Dumpcap reports an error and doesn’t start >>> theg >>> capture. >>> >>> Pipe names should be either the name of a FIFO (named pipe) >>> or "−" >>> to read data from the standard input. On Windows systems, >>> pipe >>> names must be of the form "\\pipe\.*pipename*". Data read from >>> pipes must be in standard pcapng or pcap format. Pcapng data >>> must >>> have the same endianness as the capturing host. >>> >>> It mentions "TCP@<host>:<port>" in the line describing the interface, >>> but doesn't say what it means. >>> >>> So try >>> >>> wireshark -k -i TCP@localhost:57012 >>> >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>> Archives: https://www.wireshark.org/lists/wireshark-dev >>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >>> mailto:wireshark-dev-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > <wireshark-dev-requ...@wireshark.org?subject=unsubscribe> > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
