Thank you Guy and Chuck! Adding a Pipe interface with the path "TCP@127.0.0.1:57012" worked, and so did running "wireshark -k -i TCP@127.0.0.1:57012"! I've now verified that this feature can be used to read PCAP from a TCP socket in both Windows and Linux. This is exactly what I was hoping for! Replacing 127.0.0.1 with localhost didn't work for some reason though. I just get an error message saying that "TCP@localhost:57012" is not a valid socket specification.
I was delighted to see that tshark also reads the pcap stream nicely when I run it like this: tshark -i TCP@127.0.0.1:57012 I've also verified that I can read the PCAP stream from a remote IP instead of just 127.0.0.1. Thank you for your great work! Den tis 1 feb. 2022 kl 04:28 skrev chuck c <bubbas...@gmail.com>: > https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket > > "A TCP stream is treated as like data from other pipes and the same > restrictions apply. > On each new connection the TCP server must send the header blocks as > specified by libpcap or pcapng before any packet captures. > TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage > Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark." > > On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <ghar...@sonic.net> wrote: > >> On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelm...@gmail.com> >> wrote: >> >> > Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP >> stream over a TCP socket. >> > >> > Currently, the best solution to read PCAP-over-IP in Wireshark is by >> using netcat to read the PCAP stream and forward it to Wireshark's STDIN >> like this: >> > nc localhost | wireshark -k -i - >> >> So this means "stream a pcap file to Wireshark and have it read it as a >> live capture". >> >> Wireshark - well, dumpcap, which does the capturing - has supported >> capturing from a pipe for a while. >> >> Support for capturing from a TCP socket was added at some point; the man >> page doesn't document it all that well: >> >> −i|−−interface <capture interface>|rpcap://<host>:<port>/<capture >> interface>|TCP@<host>:<port>|− >> >> Set the name of the network interface or pipe to use for live >> packet capture. >> >> Network interface names should match one of the names listed in >> "dumpcap −D" (described above); a number, as reported by >> "dumpcap >> −D", can also be used. If you’re using UNIX, "netstat −i", >> ied, >> "ifconfig −a" or "ip link" might also work to list interface >> names, >> although not all versions of UNIX support the −a option to >> ifconfig. >> >> If no interface is specified, Dumpcap searches the list of >> interfaces, choosing the first non−loopback interface if there >> are >> any non−loopback interfaces, and choosing the first loopback >> interface if there are no non−loopback interfaces. If there >> are no >> interfaces at all, Dumpcap reports an error and doesn’t start >> theg >> capture. >> >> Pipe names should be either the name of a FIFO (named pipe) or >> "−" >> to read data from the standard input. On Windows systems, >> pipe >> names must be of the form "\\pipe\.*pipename*". Data read from >> pipes must be in standard pcapng or pcap format. Pcapng data >> must >> have the same endianness as the capturing host. >> >> It mentions "TCP@<host>:<port>" in the line describing the interface, >> but doesn't say what it means. >> >> So try >> >> wireshark -k -i TCP@localhost:57012 >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe