Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

is it possible to capture a .pcap file via C++(fopen, fwrite, fclose) and open it at the same time on Wireshark?

At the same time that the program doing the capturing is writing to it?

That's not easy. When you open a file, Wireshark expects it to be complete, NOT a "work in progress" to which a program is writing packets while it's reading the file.

On a UN*X system, a somewhat clumsy mechanism to do this would be to:

  • write a program that has a loop that reads from the standard input, writes to the standard output, and, if it gets an EOF from the standard input, waits 1 second and then continues to try to read from the standard input;
  • create a FIFO file with mkfifo /tmp/fifo;
  • run wireshark -i /tmp/fifo -k;
  • run the capture program;
  • run the small program, with its standard input being the file to which the capture program is writing and its standard output being /tmp/fifo.

You would have to make sure that the account under which you run the small program has read permission on the file; if you are, for example, running the capture program as root, and it creates its output file as root, that file will be owned by root, and you will have to make sure that users other than root have read permission on the file.

On Windows, it's more complicated. You would have to:

  1. arrange that the capture program open its output file with sharing allowed;
  2. have the small program read its standard input and write its standard output in binary mode, not text mode;
  3. have the small program create a Windows named pipe and report its name;
  4. run the small program before you run Wireshark;
  5. run Wireshark as wireshark -i {name the small program reports} -k.