https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket
"A TCP stream is treated as like data from other pipes and the same restrictions apply. On each new connection the TCP server must send the header blocks as specified by libpcap or pcapng before any packet captures. TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark." On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <ghar...@sonic.net> wrote: > On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelm...@gmail.com> > wrote: > > > Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP > stream over a TCP socket. > > > > Currently, the best solution to read PCAP-over-IP in Wireshark is by > using netcat to read the PCAP stream and forward it to Wireshark's STDIN > like this: > > nc localhost | wireshark -k -i - > > So this means "stream a pcap file to Wireshark and have it read it as a > live capture". > > Wireshark - well, dumpcap, which does the capturing - has supported > capturing from a pipe for a while. > > Support for capturing from a TCP socket was added at some point; the man > page doesn't document it all that well: > > −i|−−interface <capture interface>|rpcap://<host>:<port>/<capture > interface>|TCP@<host>:<port>|− > > Set the name of the network interface or pipe to use for live > packet capture. > > Network interface names should match one of the names listed in > "dumpcap −D" (described above); a number, as reported by > "dumpcap > −D", can also be used. If you’re using UNIX, "netstat −i", > ied, > "ifconfig −a" or "ip link" might also work to list interface > names, > although not all versions of UNIX support the −a option to > ifconfig. > > If no interface is specified, Dumpcap searches the list of > interfaces, choosing the first non−loopback interface if there > are > any non−loopback interfaces, and choosing the first loopback > interface if there are no non−loopback interfaces. If there are > no > interfaces at all, Dumpcap reports an error and doesn’t start > theg > capture. > > Pipe names should be either the name of a FIFO (named pipe) or > "−" > to read data from the standard input. On Windows systems, pipe > > names must be of the form "\\pipe\.*pipename*". Data read from > pipes must be in standard pcapng or pcap format. Pcapng data > must > have the same endianness as the capturing host. > > It mentions "TCP@<host>:<port>" in the line describing the interface, but > doesn't say what it means. > > So try > > wireshark -k -i TCP@localhost:57012 > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
