This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Piping tshark output to wireshark

0

I'm trying to set up a remote capture from a debian box to wireshark running on windows. I'm using the following command:

plink server -pw pass "tshark -i eth0 -w -" | wireshark.exe -k -i -

Which throws an error on wireshark startup as a popup window saying No Packets captured! As no data was captured, closing the temporary capture file

And another popup saying:

Error reading from pipe: Der Vorgang wurde erfolgreich beendet. error 0

The second sentence translates roughly as: Operation completed succesfully.

To test that this is not an issue with my ssh connection, i tried piping from tshark to wireshark locally using

tshark.exe -w - | Wireshark.exe -k -i -

which leads to the same errors. Any suggestions?

Edit: Just updated to Wireshark 1.12.0 everything still the same

asked 01 Aug '14, 02:04

pguetschow's gravatar image

pguetschow
16115
accept rate: 0%

edited 01 Aug '14, 02:05


One Answer:

1

Wireshark can't read pcap-ng (default output format of tshark) from STDIN.

please try this:

tshark.exe -F pcap -w - | Wireshark.exe -k -i -

or

plink server -pw pass "tshark -i eth0 -F pcap -w -" | wireshark.exe -k -i -

Regards
Kurt

answered 01 Aug '14, 02:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks, this works for the local variant.

When piping from plink I get an error about "pcap" not being a supported format. choosing libpcap leads to the same behavior as before. Is libpcap a different format and my version of tshark just doesn't know about pcap?

(01 Aug '14, 04:23) pguetschow

Is libpcap a different format and my version of tshark just doesn't know about pcap?

it's the same. Your tshark version on Debian is just different than on Windows (there was a rename of the option).

(01 Aug '14, 05:15) Kurt Knochner ♦

Thanks for the help so far. Do you have any ideas what could cause the the problem when tunneling via ssh? Or is that outside of the scope of AskWireshark?

(01 Aug '14, 05:25) pguetschow

What is the version of the remote copy of tshark?

(01 Aug '14, 05:30) grahamb ♦

Tshark 1.8.2

(01 Aug '14, 05:35) pguetschow

Please try it with tcpdump

plink server -pw pass "tcpdump -ni eth0 -w -"

(01 Aug '14, 07:36) Kurt Knochner ♦
showing 5 of 6 show 1 more comments