how to use wireshark to capture packets from standard input

Question

In our program (written in Java, run on Windows), we have packets captured on our own device, and send to the Java program via a inner callback. Formerly, we decode these packet by ourselves, but there's some performance problem. Now we want to use Wireshark instead. I've found that wireshark can capture packets from standard input, by using the following command line: wireshark -k -i -. But I have no idea how to use it in the cmd prompt in Windows 7. Suppose I have a cap file named test.cap, should I use more test.cap | wireshark -k -i - (just a example, I tried but failed) or something else? Of course, I also want to ask about the usage in Java. Does anyone know about it?

Answer 1

should I use more test.cap | wireshark -k -i - (just a example, I tried but failed)

more is not a good option, as it seems to modify the binary data.

more dumpfile.pcap > m1.pcap
type dumpfile.pcap > m2.pcap

Then

dir *.pcap

02.05.2012  14:28           191.140 dumpfile.pcap
29.09.2013  17:52           205.844 m1.pcap
29.09.2013  17:52           191.140 m2.pcap

As you can see, the output of more is significantly larger than the original.

As type does not modify the binary data, you can pipe the capture file like this

type dumpfile.pcap | wireshark -k -i -

This requires wireshark.exe to be in the search PATH of your environment.

Of course, I also want to ask about the usage in Java. Does anyone know about it?

Spawn a Wireshark process with the parameters -k -i - and let your java program write the captured binary data to STDIN of that process. The data needs to be in libpcap format not pcacp-ng (see wireshark man page for option -i).

Regarding Java, process start and writing to STDIN, please ask google: java start process write STDIN

Regards
Kurt