https://wiki.wireshark.org/CaptureSetup/Pipes.md#tcp-socket
"A TCP stream is treated as like data from other pipes and the same
restrictions apply.
On each new connection the TCP server must send the header blocks as
specified by libpcap or pcapng before any packet captures.
TCP@ pipes may also be
On Jan 31, 2022, at 4:56 AM, Erik Hjelmvik wrote:
> Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP stream
> over a TCP socket.
>
> Currently, the best solution to read PCAP-over-IP in Wireshark is by using
> netcat to read the PCAP stream and forward it to Wireshark's ST
That usecase is exactly what extcap was invented for. In your case, there
could be a small python or c application on the hosts side, which handles
the pipe management. Extcap is - in its essence - just a neat user
interface for configuring such pipe scenarios. So in your case, you could
provide yo
Thanks for the feedback Roland!
sshdump is indeed a neat way to capture packets from a remote machine. But
I'm afraid that extcap solution isn't quite what I'm looking for either. I
should have explained more in detail what I'm trying to achieve, so that
you folks would't have to guess. I primaril
If udpdump is nothing for you, and you are able to run a capture tool like
tshark or tcpdump on the remote machine, you can take a look at sshdump. A
sibling of udpdump, it executes the remote capture program via ssh, and
then transports the data as-is through a ssh-connection. It can be seen as
a
Hi Dario,
Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my
requirements. Wrapping captured packets inside of UDP packets or IP packets
(as in ERSPAN) to allow remote sniffing is an attractive solution, but it
comes with several drawbacks. Some of these drawbacks include diffic
You can have a look at udpdump, which doesn't use TCP but UDP, but it may
fit your purpose.
On Mon, Jan 31, 2022 at 1:57 PM Erik Hjelmvik
wrote:
> Hello folks,
>
> Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP
> stream over a TCP socket.
>
> Currently, the best solution t
Hello folks,
Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP
stream over a TCP socket.
Currently, the best solution to read PCAP-over-IP in Wireshark is by using
netcat to read the PCAP stream and forward it to Wireshark's STDIN like
this:
nc localhost 57012 | wireshark -k -
