 | 1 | initial version |
dumpcap, and thus both TShark and Wireshark (which use dumpcap to capture traffic), supports "TCP@<host>:<port>" as a specification for a capture source.
This causes dumpcap to attempt to connect to the given port on the given host, so there must be something on that host listening for connection attempts to that port before starting the capture.
This means that nc, for example, must be run with the -l flag on the machine from which the packets will be sent; there is no equivalent to nc -k -l <port> | wireshark -k -i - - you would have to do something such as tcpdump -s 0 -Un -w - | nc -l <port> on the host from which the packets will be sent.
Unfortunately, that will cause packets to pile up until dumpcap tries to connect, which may cause packets to be dropped.
It might be useful to add a syntax to dumpcap to support it listening for connections rather than attempting to make a connection, e.g. "TCP@<listen>:port" (where "<listen>" is literally that string), or "TCP@<port>" or "TCP@:<port>", allowing the equivalent of nc -k -l <por> | wireshark -k -i -.
