This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've been using the program sflowtool to process a live stream of sflow packets and dump these packets in a standard pcap format for analysis using tshark. This has been working well, but I need to decorate these packets with additional port information from the sflow packet itself.

To do this I've modified sflowtool to dump packets out in a pcap-ng format, allowing me to add port information using the optional comment in the enhanced packet block. However, tshark doesn't seem to support processing of pcap-ng format via a stdin pipe. I do realise that the tshark man page does mention that "Data read from pipes must be in the standard pcap format", however, the wireshark wiki under the section CaptureSetup/Pipes mentions that:

"This only works with the de facto standard libpcap format version 2.4, as described in Development/LibpcapFileFormat, and with the standard pcap-ng format"

Is there something I'm missing? whats the best way for me to process a live feed of pcap-ng formatted packets using tshark?

Thanks.

asked 02 Feb '16, 04:36

Fordo's gravatar image

Fordo
6112
accept rate: 0%

1

I've come across the same issue and got no answer to the related part of this question. I've finally decided not to file a "nice to have" bug because practically the importance was low for me (no need to process such captures online).

But it should not actually be a big issue as both Wireshark and tshark, if set to capture from interfaces rather than read from a file, spawn dumpcap as the actual capturing process and read the data from its output. And a single instance of dumpcap captures packets from several interfaces simultaneously, so it should be sending the data to Wireshark or tshark as pcap-ng. So if you feel like that, file a "nice to have" bug at the Wireshark Bugzilla yourself.

(02 Feb '16, 05:12) sindy

Thanks for both comments. Anders, reading between the lines, it appears that a bug request has been entered but it's of such low priority that nothing is being done about it? Is it possible to raise the priority of this issue as it appears that a number of users are requesting it?

(02 Feb '16, 07:50) Fordo

Like every thing in open source it requires some one to take interest in the mather and spend their free time to implement it.

(02 Feb '16, 08:05) Anders ♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×37
×9
×3

question asked: 02 Feb '16, 04:36

question was seen: 2,429 times

last updated: 02 Feb '16, 08:05

p​o​w​e​r​e​d by O​S​Q​A