This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Providing each packet to wireshark using command line

0

Hello All,

I am right now writing a pcap file to save all packets, as soon as I receive. Then I am opening that pcap into wireshark using wireshark -k -i ${FILE}. Instead of that I want to provide each packet to wireshark? Is that possible?

Also when I provide the pcap file, and after running the command if I append packets in the file would wireshark analyse them also?

Thank you very much.

asked 24 Jul '13, 10:07

WiData's gravatar image

WiData
6114
accept rate: 0%


2 Answers:

1

Quick follow up, I am creating pcap headers in a c++ files and in the same file I want to execute dumpcap from the same c++ file to save those pcap headers, so that I can open the pcap file written by dumpcap in wireshark later on. What should I use as -i interface option?

Well, you don't have to call dumpcap, as that's just the capturing process to generate a pcap data stream, that is piped to Wireshark. So, basically what you need to do in your program is similar to this.

tcpdump -ni eth0 -w - | wireshark -k -i -

tcpdump writes a data stream (pcap data structure) to STDOUT (-w -). That output is piped to STDIN of Wireshark (-i -).

So, in your c++ program the part of tcpdump is obsolete, as you create the packets yourself. So here is the way to go.

First option:

  • spawn a Wireshark process in your code: wireshark -k -i -
  • write your generated packets to STDOUT. That data needs to be in pcap format as Wireshark will only understand that. If you cannot write pcap format, you could use text2pcap as an intermediate tool: your_application -> STDOUT | text2pcap - - | wireshark -k -i -
  • as soon as you are ready, kill the spawned wireshark process

Second option:

  • create a named pipe (please check your OS manual how to do that). Also here: http://wiki.wireshark.org/CaptureSetup/Pipes for some example code
  • spawn a wireshark process, that reads from that named pipe: wireshark -nr \.\pipe\wireshark
  • write pcap formated data to that pipe in your application
  • as soon as you are ready, kill the spawned wireshark process

Regards
Kurt

answered 25 Jul '13, 11:23

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

@kurt: thanks a lot for your feedback and it is very useful. I appreciate giving a detailed answer. I am just confused over one thing, I dont want to kill the wireshark process. As the packet are being created I just want them to pass to the wireshark application? I hope I am clear enough in asking this.

(26 Jul '13, 14:55) WiData
1

I dont want to kill the wireshark process.

That was just in case you want to end the whole workflow within your c++ application (at the end). If you don't want to that, don't kill the process and let the user end Wireshark by closing the GUI window.

(27 Jul '13, 00:14) Kurt Knochner ♦

@kurt: thanks a lot for your help. I tried it and it seems it almost worked except the same error like the post in http://ask.wireshark.org/questions/14773/end-of-file-on-pipe-magic-during-open I am using this code http://pastie.org/8188169 Am I doing something wrong with the pipe? The d_msg is the pcap header which I want to pass to the wireshark.

(29 Jul '13, 15:43) WiData

And when I use this http://pastie.org/8188232 I get this error The file "/tmp/wireshark_mine.pcap_20130730012654_ndbFzk" is a capture for a network type that Wireshark doesn't support Not sure where I am going wrong.

(29 Jul '13, 16:29) WiData

system("mkfifo /tmp/mine.pcap");

What is your OS?

(29 Jul '13, 19:30) Kurt Knochner ♦

Linux-Ubuntu 12.04

(29 Jul '13, 23:09) WiData

I also tried with the mkfifo() function. No Change with it. Its like I am almost there and then I can not resolve it. Should I be using netcat? I am not much familiar with it but I think it may be useful.

(30 Jul '13, 14:22) WiData
showing 5 of 7 show 2 more comments

2

When running a live capture, Wireshark actually runs dumpcap to do the capturing which then pipes the packets into the Wireshark process, maybe you could use that technique.

answered 24 Jul '13, 10:19

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Grahamb: Quick follow up, I am creating pcap headers in a c++ files and in the same file I want to execute dumpcap from the same c++ file to save those pcap headers, so that I can open the pcap file written by dumpcap in wireshark later on. What should I use as -i interface option?

(24 Jul '13, 15:23) WiData
1

I'm afraid that's out of my knowledge zone.

(25 Jul '13, 02:38) grahamb ♦