This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Read packet trace from file in real time as writing

0

For example I write a packet trace in file with tcpdump:

tcpdump -w file.pcap

By now i need reopen whole file for every new entry. Maybe wireshark can read the file as write without reopen? Like as doing in UNIX: tail -F file.pcap

asked 26 Jun '11, 08:30

zhovner's gravatar image

zhovner
1113
accept rate: 0%

One Answer:

0

I found solution in using pipes http://wiki.wireshark.org/CaptureSetup/Pipes

Unfortunately I can't use pipes by following this instruction in Mac OS X 10.5.

This works for me:

sudo /Applications/Wireshark.app/Contents/Resources/bin/wireshark -k -i <(tail -n 100000000000 -F dump.pcap)

tail -n 100000000000 - is for jump to begining of file.

answered 26 Jun '11, 09:00

zhovner's gravatar image

zhovner
1113
accept rate: 0%

edited 26 Jun '11, 13:43

A better approach would be to use tail -c +0 or tail -n +0 if you want to list all data from the beginning of the file.

Your final command will look like this: sudo /Applications/Wireshark.app/Contents/Resources/bin/wireshark -k -i <(tail -c +0 -F dump.pcap)

(15 Aug '13, 03:03) Sergei