This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Mergecap combine multiple named pipes

0

I am looking for a way to combine multiple named pipes containing pcap data into one single pipe that can be used as input into Wireshark. As a fictitious and non-working example, I am trying to do something like this:

mkfifo trace1
mkfifo trace2
mkfifo trace3
mergecap -w - trace1 trace2 trace3 | wireshark -k -i - &
tcpdump -i eth1 -s0 -w - > trace1 &
tcpdump -i eth2 -s0 -w - > trace2 &
tcpdump -i eth3 -s0 -w - > trace3 &

(Of course, tshark would be much better suited to this specific example as I could specify multiple interfaces with it and obviate the need of named pipes altogether. In reality however, each of the tcpdumps will be executed on different remote hosts and their output will be piped to the local machine.)

I am trying to find a way to merge those separate streams into one so that I can view them all in wireshark simultaneously and in real-time. If mergecap cannot do it, are there any other tools you have used for this? Also, I have a tool that should merged arbitrary named pipes, but in order to make sure the packet data is not scrambled, I need to provide a separator. Does the pcap format have a standard separator between packets?

Thanks!

asked 16 Feb '17, 13:36

Lemurshark's gravatar image

Lemurshark
26569
accept rate: 0%


2 Answers:

0

Does the pcap format have a standard separator between packets?

No. The pcap format has a fixed-length header at the beginning of a file, followed by a sequence of records for packets; each packet record has a fixed-length header that includes a time stamp, an "on the wire" length for the packet, and a "number of bytes captured" length for the packet, followed by the packet data. The "number of bytes captured" length specifies the number of bytes of packet data.

answered 16 Feb '17, 15:18

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

In case you're unaware, Wireshark can read from multiple interfaces. I have experimented a bit with a possible solution for you using tcpdump and libpcap versions 4.9.0 and 1.8.1, respectively. Below is the contents of a script I ran to successfully test this. Perhaps it's useful to you?

#!/bin/sh

Remove pipes in case there are any unread data.

(May not be completely necessary but doesn't hurt.)

rm -f sharkfin1 sharkfin2

Create pipes, 1 per interface:

mkfifo sharkfin1 &> /dev/null mkfifo sharkfin2 &> /dev/null

Start wireshark, reading from sharkfin1 and sharkfin2 pipes

wireshark -k -i sharkfin1 -i sharkfin2 &

Begin capture on relevant interfaces and write packets to pipes

filter=icmp tcpdump –immediate-mode -U -i eth0 -w sharkfin1 $filter & tcpdump –immediate-mode -U -i eth1 -w sharkfin2 $filter & wait

answered 17 Feb ‘17, 14:31

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%