Ask Your Question

Something Like UNIX Tee in Windows For Tshark

asked 2019-10-17 12:43:22 +0000

JustinGoldberg gravatar image

updated 2019-10-17 12:45:08 +0000

I have a yealink ip phone that I would like to capture in real time. The phone's web gui will begin downloading / writing to a file using the "enhanced capture" feature. It stops writing when I click "stop capture" in the web gui. Is there a way to tee, "tail", or pipe this to the .pcap file that tshark can read in real time, so that I can ascertain which button presses/features/calls/conferences/transfers on the phone correlate to what packet at what time, as they happen, rather than after the capture? I suspect that the answer is at the Windows OS level or browser/addon/plugin level, and not a tshark feature, but I thought this is the best place to ask.

Also, I'll be switching over to Linux or BSD for troubleshooting in the near future, so what is the proper Linux way to do this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-10-17 14:46:40 +0000

cmaynard gravatar image

On Windows, if you have Cygwin installed, you may be able to accomplish this using tail. For example, assuming the web GUI is writing packets to a file, file.pcap, run Wireshark as follows:

tail -f -c +0 -f file.pcap | Wireshark.exe -k -i -

This also works with tshark, but the output is buffered, so in my testing, it's not as real-time and responsive as it is with Wireshark.

It should be possible to apply the same technique on Linux/BSD as well.


edit flag offensive delete link more


Great! Wireshark will work! I thought tshark was a requirement to use tail or tee types of tools.

JustinGoldberg gravatar imageJustinGoldberg ( 2019-10-22 18:54:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-10-17 12:43:22 +0000

Seen: 303 times

Last updated: Oct 17 '19