Hi, Cool that this works as intended / expected. All that is left now, as Guy indicated, is to document this properly. Chuck, feeling up to it? ;)
Thanks, Jaap > On 1 Feb 2022, at 12:18, Erik Hjelmvik <erik.hjelm...@gmail.com> wrote: > > Thank you Guy and Chuck! > > Adding a Pipe interface with the path "TCP@127.0.0.1:57012 > <http://TCP@127.0.0.1:57012/>" worked, and so did running "wireshark -k -i > TCP@127.0.0.1:57012 <http://TCP@127.0.0.1:57012/>"! I've now verified that > this feature can be used to read PCAP from a TCP socket in both Windows and > Linux. This is exactly what I was hoping for! Replacing 127.0.0.1 with > localhost didn't work for some reason though. I just get an error message > saying that "TCP@localhost:57012" is not a valid socket specification. > > I was delighted to see that tshark also reads the pcap stream nicely when I > run it like this: > tshark -i TCP@127.0.0.1:57012 <http://TCP@127.0.0.1:57012/> > > I've also verified that I can read the PCAP stream from a remote IP instead > of just 127.0.0.1. > > Thank you for your great work! > > Den tis 1 feb. 2022 kl 04:28 skrev chuck c <bubbas...@gmail.com > <mailto:bubbas...@gmail.com>>: > https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket > <https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket> > > "A TCP stream is treated as like data from other pipes and the same > restrictions apply. > On each new connection the TCP server must send the header blocks as > specified by libpcap or pcapng before any packet captures. > TCP@ pipes may also be added in the GUI's Menu Capture/Options…, Manage > Interfaces…, Pipes Tab, but pipe settings are not saved by Wireshark." > > On Mon, Jan 31, 2022 at 6:19 PM Guy Harris <ghar...@sonic.net > <mailto:ghar...@sonic.net>> wrote: > On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik <erik.hjelm...@gmail.com > <mailto:erik.hjelm...@gmail.com>> wrote: > > > Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP > > stream over a TCP socket. > > > > Currently, the best solution to read PCAP-over-IP in Wireshark is by using > > netcat to read the PCAP stream and forward it to Wireshark's STDIN like > > this: > > nc localhost | wireshark -k -i - > > So this means "stream a pcap file to Wireshark and have it read it as a live > capture". > > Wireshark - well, dumpcap, which does the capturing - has supported capturing > from a pipe for a while. > > Support for capturing from a TCP socket was added at some point; the man page > doesn't document it all that well: > > −i|−−interface <capture interface>|rpcap://<host>:<port>/<capture > interface>|TCP@<host>:<port>|− > > Set the name of the network interface or pipe to use for live > packet capture. > > Network interface names should match one of the names listed in > "dumpcap −D" (described above); a number, as reported by "dumpcap > −D", can also be used. If you’re using UNIX, "netstat −i", ied, > "ifconfig −a" or "ip link" might also work to list interface names, > although not all versions of UNIX support the −a option to > ifconfig. > > If no interface is specified, Dumpcap searches the list of > interfaces, choosing the first non−loopback interface if there are > any non−loopback interfaces, and choosing the first loopback > interface if there are no non−loopback interfaces. If there are no > interfaces at all, Dumpcap reports an error and doesn’t start theg > capture. > > Pipe names should be either the name of a FIFO (named pipe) or "−" > to read data from the standard input. On Windows systems, pipe > names must be of the form "\\pipe\.*pipename*". Data read from > pipes must be in standard pcapng or pcap format. Pcapng data must > have the same endianness as the capturing host. > > It mentions "TCP@<host>:<port>" in the line describing the interface, but > doesn't say what it means. > > So try > > wireshark -k -i TCP@localhost:57012 > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org > <mailto:wireshark-dev@wireshark.org>> > Archives: https://www.wireshark.org/lists/wireshark-dev > <https://www.wireshark.org/lists/wireshark-dev> > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > <https://www.wireshark.org/mailman/options/wireshark-dev> > mailto:wireshark-dev-requ...@wireshark.org > <mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org > <mailto:wireshark-dev@wireshark.org>> > Archives: https://www.wireshark.org/lists/wireshark-dev > <https://www.wireshark.org/lists/wireshark-dev> > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > <https://www.wireshark.org/mailman/options/wireshark-dev> > mailto:wireshark-dev-requ...@wireshark.org > <mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe