This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Live capture Using pipes

2
1

How to setup Wireshark to capture Live packets thrown to Pipe. Currently Only once packet can be captured on Wireshark using Named Pipes. I want to setup like Whenever I through Packets to Pipe, it should be shown in queue in Wireshark. So that it feels like Live capturing from Pipes.

-Ankit

asked 07 Sep '15, 23:42

Ankit%20Patel's gravatar image

Ankit Patel
36125
accept rate: 0%

sounds like named pipes are not what you want. Can you please add your definition of "pipe" and how you would like to start Wireshark (CLI example)?

(08 Sep '15, 05:08) Kurt Knochner ♦

On Manage Interface selection I am creating new pipe @ /tmp/myfifo and then start capture on that. Meanwhile throwing .pcap file onto that Pipe i.e. cat ip_packet.pcap > /tmp/myfifo

Now Wireshark captures this file and shows onto GUI.

If I send another .pcap file onto that pipe then it won't show on GUI. I have to restart capture then only it displays received packet on pipe.

I have to create one application which throws packets and Wireshark captures packets and monitors continuously. Is this Possible?

-Ankit

(08 Sep '15, 21:29) Ankit Patel

One Answer:

0

If I send another .pcap file onto that pipe then it won't show on GUI.

If Wireshark reads from a named pipe, it expects the same file structure as it would find in a pcap file, meaning pcap header, then captured frames. So, if you write the pcap file to the named pipe in the first step, it will work. When you cat another pcap file to the named pipe, it won't work as Wireshark does not expect to see a second pcap file header.

So, if you want to 'throw' several pcap files at Wireshark through a named pipe, your program needs to read the pcap files and 'throw' only the captured frames to the named pipe together with a valid pcap file header in the first step.

Regards
Kurt

answered 08 Sep '15, 22:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

So in Live Capture mode, if 1000 packets received from LAN then Wireshark creates 1000 times pcap file with modified Header?

(08 Sep '15, 22:32) Ankit Patel

No. If Wireshark captures from a network interface it does not expect a pcap file structure* as there won't be one. Instead it reads the frames from the network interface and stores it in memory and/or a temp file. As soon as you tell Wireshark to save the captured frames, it will write a pcap file with the appropriate file structure to store the captured frames.

(08 Sep '15, 22:36) Kurt Knochner ♦
1

But How Wireshark shows live capture? Previously you mentioned that Wireshark expects pcap files to display onto GUI

(08 Sep '15, 22:42) Ankit Patel

But How Wireshark shows live capture?

??? Please elaborate!

If Wireshark captures the frames, where would you see a problem to show them in the GUI?

(08 Sep '15, 23:07) Kurt Knochner ♦

While capturing from eth0. Wireshark shows live packet capture.As it receives packet it displays it. I need to create same scenario using pipe. As it captures packet it should be appended in display in Wireshark.

(08 Sep '15, 23:58) Ankit Patel

As it captures packet it should be appended in display in Wireshark

if you want to capture from a named pipe, run:

wireshark -ni /tmp/pipe -k

Then write a valid data structure to /tmp/pipe, meaning only frames as they would appear on eth0

if you want to read a capture file from a named pipe, run:

wireshark -nr /tmp/pipe

Then write a valid data structure to /tmp/pipe, meaning a valid pcap file.

(09 Sep '15, 00:31) Kurt Knochner ♦

So here is the question,

I need to create one application which sends IP packets with some time interval. Wireshark should be able to capture IP packets and display it. Wireshark displays one packet as it received and poll for another packet as it receives another packet, it displays in second raw and then third and so on.

Now Wireshark only accepts pcap formats onto pipe I need to generate pcap of first IP packet and send it to created PIPE. After that I need to create another pcap file with two IP packets(One previous and one current) and send it to wireshark.

What I am facing is Wireshark reads first pcap file but then for second file, I need to restart the capture manually. Is it possible to set autorestart after receiving packets from pipe?

(09 Sep '15, 02:44) Ankit Patel

Have you tried sending the libpcap global header first and then each packet independently with its own packet header (as seen in https://wiki.wireshark.org/Development/LibpcapFileFormat). I do not understand why you claim that you would need to create new pcap files for each dumped packet (containing previous an new packets). To summarize: when creating the pipe, try sending once the global header and then send each packet with its own packet header. It should work fine.

(09 Sep '15, 06:16) Pascal Quantin

Yes I tried to send Global header using Pipe. It shows error message like "No packets captured! As no data was captured, closing the temporary capture file!"

If I send file which includes Global header and 1 packet header followed by data then it works. But another packets it won't capture.

I think Wireshark close the pipe as soon as something has captured. Wireshark dosen't continuously polls for the next packet from the Pipe.

(10 Sep '15, 01:27) Ankit Patel

can you please post some information about your code or the way you tried to write the pcap header to the pipe and how you started Wireshark (with -r or -i)!?!

(10 Sep '15, 18:33) Kurt Knochner ♦

Using below command to start capturing from Pipe wireshark -ni /tmp/myfifo -k

Sending pcap header to the pipe using below command cat global_header.pcap > /tmp/myfifo

Wireshark gives error on receiving Global Header file

If I send pcap file which contains Global Header + Packet Header + Packet data then it captures properly. cat packet_with_global_header.pcap > /tmp/myfifo

But I want to send another packet without restarting wireshark capture i.e. cat another_packet.pcap > /tmp/myfifo and wireshark should capture another packet and displays in the packet queue. but wireshark dosen't do anything. It requires start new capture.

(10 Sep '15, 21:53) Ankit Patel

But I want to send another packet without restarting wireshark capture i.e. cat another_packet.pcap

O.K. again, as you might have missed the point. If you cat another pcap to the same named pipe, you are NOT just sending another packet, you are sending another pcap file, including headers, etc. This will not work!

(11 Sep '15, 14:05) Kurt Knochner ♦
3

Ankit,

for continuous run, your application must not use "cat" to send packets to the pipe (regardless whether the Global Header would be sent before the packet), it must act as a pipe server completely.

Wireshark does not close (or, better, does not stop reading) the pipe as soon as it receives something; it stops reading the pipe as soon as the sending side disconnects from the pipe, which is what happens when the "cat" finishes sending the file.

With each press of "start capture", Wireshark connects to the named pipe as its client and expects to receive the Global Header first of all and only once. Next, it processes all the packets (Packet Header followed by Packet data) as they come and appends them to the running capture, until:

a) the server disconnects from the pipe,
b) you press the "stop capture" button - in this case, Wireshark disconnects from the pipe.

So for continuous run of the capture, your application must:
1) create the pipe (or connect to existing one as server),
2) wait (and trash eventual packets to be sent) until the pipe indicates that a client is connected (using some pipe->State function),
3) send the Global Header once (using some pipe->Write function, NOT using cat)
4) send packets (Packet Header followed by Packet data) using pipe->Write

Unless you expect all that to run forever, the application should check that a client is still connected before sending each packet. When a client disconnects (because you have stopped the capture), the application may either end or get back to step 2).

HTH, Pavel

(13 Sep '15, 04:49) sindy

Sindy,

3) send the Global Header once (using some pipe->Write function, NOT using cat)

Folllowed steps as suggested by you but as soon as I wrote Global Header onto that pipe using pipe write method, Wireshark stops capturing of packet and shows "No packets captured! As no data was captured, closing the temporary capture file"

(15 Sep '15, 02:18) Ankit Patel

If not done yet, I suggest you to have a look at https://wiki.wireshark.org/CaptureSetup/Pipes

Given what you describe, it gives the feeling that you are closing the pipe after writing the global header. But without knowing more about what you are really doing, it's hard to tell more.

(15 Sep '15, 09:26) Pascal Quantin
1

Ankit,

not knowing the OS & programming language you use but using my own (fresh and limited) experience with the subject, and after reading again what you wrote so far, I dare to follow Pascal's general suspicion to a more specific one - that you use pipe->Write function but terminate the application after sending the Global Header (and possibly the first packet). And when the time comes to forge the next packet, you run your application again. However, an inevitable consequence of termination of the application is its disconnection from the pipe, as the application's next run will be a new process with a new PID. Am I right?

If I am wrong and your application runs continuously but despite that Wireshark stops capturing after receiving the first packet, could you post the code (maybe leaving out the packet contents construction but definitely including the startup and shutdown of the application)?

Pascal,

the wiki page you've suggested is misleading in one significant point - if I get it right, as of now Wireshark does NOT accept pcap-ng through a pipe. I've crashed my mouth on that a few days ago (using last stable which is 1.12.7), as I was looking for other cause of the trouble until I've found somewhere else that still only pcap is accepted.

Also the example with cat of a pcap file into the pipe may be misleading for people (like me and possibly Ankit) who are not aware of the fact that Wireshark watches the state of the sending end of the pipe and stops capturing when the source application disconnects from or even deletes the pipe. I too have expected that the pipe exists independently of the sender application and that Wireshark would keep listening to the pipe until manual stop of the capture, regardless what happens on the sending end.

I don't feel qualified enough to edit that page, but if you do, could you make it more correct (pcap-ng) and more detailed (pipe tracking), please?

Merci P.

(15 Sep '15, 13:30) sindy

Sindy,

Yes you are correct. I am terminating my code and that was the reason of pipe disconnection. Now I am able to send continuously Packets using pipe.

Thanks..

(15 Sep '15, 22:14) Ankit Patel
showing 5 of 17 show 12 more comments