I've been using the program sflowtool to process a live stream of sflow packets and dump these packets in a standard pcap format for analysis using tshark. This has been working well, but I need to decorate these packets with additional port information from the sflow packet itself. To do this I've modified sflowtool to dump packets out in a pcap-ng format, allowing me to add port information using the optional comment in the enhanced packet block. However, tshark doesn't seem to support processing of pcap-ng format via a stdin pipe. I do realise that the tshark man page does mention that "Data read from pipes must be in the standard pcap format", however, the wireshark wiki under the section CaptureSetup/Pipes mentions that: "This only works with the de facto standard libpcap format version 2.4, as described in Development/LibpcapFileFormat, and with the standard pcap-ng format" Is there something I'm missing? whats the best way for me to process a live feed of pcap-ng formatted packets using tshark? Thanks. asked 02 Feb '16, 04:36 Fordo |
I've come across the same issue and got no answer to the related part of this question. I've finally decided not to file a "nice to have" bug because practically the importance was low for me (no need to process such captures online).
But it should not actually be a big issue as both Wireshark and tshark, if set to capture from interfaces rather than read from a file, spawn dumpcap as the actual capturing process and read the data from its output. And a single instance of dumpcap captures packets from several interfaces simultaneously, so it should be sending the data to Wireshark or tshark as pcap-ng. So if you feel like that, file a "nice to have" bug at the Wireshark Bugzilla yourself.
See https://www.wireshark.org/lists/wireshark-dev/201507/msg00107.html and https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370
Thanks for both comments. Anders, reading between the lines, it appears that a bug request has been entered but it's of such low priority that nothing is being done about it? Is it possible to raise the priority of this issue as it appears that a number of users are requesting it?
Like every thing in open source it requires some one to take interest in the mather and spend their free time to implement it.