This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Refresh open File in Wireshark

Hello All, I have the following problem that iam trying to work out with the help of Wireshark

I have log files that keep getting updated.
Using text2pcap the files are being processed and viewed in the wireshark.

As the files keep getting updated dynamically I am required to process the log files every few minutes to view the latest messages. Can anybody suggest if there is any way Wireshark can refresh the opened file automatically whenever the contents change or if there is any workaround to achieve the same affect instead of manually refreshing using CTRL+R.

rtp

asked 07 Nov '12, 22:49

manojdeoli
1●5●5●6
accept rate: 0%

2 Answers:

Wireshark can read from a (named) pipe. Your tool would create that named pipe and write updated data to it. That data must be in pcap file format. As soon as you write to the pipe, Wireshark will display the packets.

Please read more about pipes in the Wiki:

http://wiki.wireshark.org/CaptureSetup/Pipes

Please check also my answer to the following question:

http://ask.wireshark.org/questions/13059/capturing-from-multiple-pipes

Basically you would do the following (on Windows):

Create a pipe (\.\pipe\livedata) within your application that reads the log.
Read the log file and convert the data into pcap format. You can use/modify the source code of text2pcap to do that. Unfortunately you cannot use text2pcap, as it cannot write to the pipe in a way that would work in your scenario (continuous updates).
Read from the named pipe in Wireshark

wireshark -i \\.\pipe\livedata -k

The same works in Linux. Please google for: mkfifo

Regards
Kurt

answered 08 Nov '12, 00:59

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 08 Nov '12, 02:08

0	Also see my answer to your other question. answered 08 Nov '12, 06:09 JeffMorriss ♦ 6.2k●5●72 accept rate: 27%