"Replacing 127.0.0.1 with localhost didn't work for some reason though."
dumpcap ( https://gitlab.com/wireshark/wireshark/-/blob/master/dumpcap.c#L1366) calls ws_socket_ptoa ( https://gitlab.com/wireshark/wireshark/-/blob/master/wsutil/socket.h#L72) which expects an IP address. * Convert the strings ipv4_address:port or [ipv6_address]:port to a * sockaddr object. That matches the description on the wiki entry: https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket "... using the -i TCP@<addr>[:port] option." I'm not sure it's worth making a name resolution call. Maybe better to update the docs and usage to "<addr"> instead of "<host>"? On Tue, Feb 1, 2022 at 5:18 AM Erik Hjelmvik <erik.hjelm...@gmail.com> wrote: > Thank you Guy and Chuck! > > Adding a Pipe interface with the path "TCP@127.0.0.1:57012" worked, and > so did running "wireshark -k -i TCP@127.0.0.1:57012"! I've now verified > that this feature can be used to read PCAP from a TCP socket in both > Windows and Linux. This is exactly what I was hoping for! Replacing > 127.0.0.1 with localhost didn't work for some reason though. I just get an > error message saying that "TCP@localhost:57012" is not a valid socket > specification. > > I was delighted to see that tshark also reads the pcap stream nicely when > I run it like this: > tshark -i TCP@127.0.0.1:57012 > > I've also verified that I can read the PCAP stream from a remote IP > instead of just 127.0.0.1. > > Thank you for your great work! > > Den tis 1 feb. 2022 kl 04:28 skrev chuck c <bubbas...@gmail.com>: > >> https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket >> >> "A TCP stream is treated as like data from other pipes and the same >> restrictions apply. >> On each new connection the TCP server must send the header blocks as >> specified by libpcap or pcapng before any packet captures. >> TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage >> Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark." >> >> On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <ghar...@sonic.net> wrote: >> >>> On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelm...@gmail.com> >>> wrote: >>> >>> > Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP >>> stream over a TCP socket. >>> > >>> > Currently, the best solution to read PCAP-over-IP in Wireshark is by >>> using netcat to read the PCAP stream and forward it to Wireshark's STDIN >>> like this: >>> > nc localhost | wireshark -k -i - >>> >>> So this means "stream a pcap file to Wireshark and have it read it as a >>> live capture". >>> >>> Wireshark - well, dumpcap, which does the capturing - has supported >>> capturing from a pipe for a while. >>> >>> Support for capturing from a TCP socket was added at some point; the man >>> page doesn't document it all that well: >>> >>> −i|−−interface <capture interface>|rpcap://<host>:<port>/<capture >>> interface>|TCP@<host>:<port>|− >>> >>> Set the name of the network interface or pipe to use for live >>> packet capture. >>> >>> Network interface names should match one of the names listed >>> in >>> "dumpcap −D" (described above); a number, as reported by >>> "dumpcap >>> −D", can also be used. If you’re using UNIX, "netstat −i", >>> ied, >>> "ifconfig −a" or "ip link" might also work to list interface >>> names, >>> although not all versions of UNIX support the −a option to >>> ifconfig. >>> >>> If no interface is specified, Dumpcap searches the list of >>> interfaces, choosing the first non−loopback interface if >>> there are >>> any non−loopback interfaces, and choosing the first loopback >>> interface if there are no non−loopback interfaces. If there >>> are no >>> interfaces at all, Dumpcap reports an error and doesn’t start >>> theg >>> capture. >>> >>> Pipe names should be either the name of a FIFO (named pipe) >>> or "−" >>> to read data from the standard input. On Windows systems, >>> pipe >>> names must be of the form "\\pipe\.*pipename*". Data read from >>> pipes must be in standard pcapng or pcap format. Pcapng data >>> must >>> have the same endianness as the capturing host. >>> >>> It mentions "TCP@<host>:<port>" in the line describing the interface, >>> but doesn't say what it means. >>> >>> So try >>> >>> wireshark -k -i TCP@localhost:57012 >>> >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>> Archives: https://www.wireshark.org/lists/wireshark-dev >>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >>> mailto:wireshark-dev-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
