Ask Your Question

How to use rawshark to analyse a pcap file which is generated by tcpdump?

asked 2018-05-01 13:21:09 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

There is a pcap file on my disk ,I want to print it on my console by using rawshark, but receive this "rawshark: Input file or pipe name not specified".

My command is like this: ./rawshark -s ./f1528 -d encap:EN10MB

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-05-01 19:13:50 +0000

Jaap gravatar image
Usage: rawshark [options] ...

Input file:
-r <infile>              set the pipe or file name to read from

Are you missing -r ?

edit flag offensive delete link more


I've tried -r ,but receive ""./f1528" is neither an interface nor a pipe"

TimeT gravatar imageTimeT ( 2018-05-02 01:04:11 +0000 )edit

Ah, so rawshark is intended to provide 'realtime' processing of a data stream. Therefore it's not geared to reading already existing capture files. That is just old data. You'll have to feed it otherwise.

One way to do this is using a pipe, like so (reading from stdin):

cat ./f1528 | ./rawshark -s -r - -d encap:EN10MB

Another way it to use a FIFO (in the file system), like so:

mkfifo sharkfin
cat ./f1526 > sharkfin

while in another process (another shell):

./rawshark -s -r sharkfin -d encap:EN10MB

You may want to add some -F options too, to get some field data.

Jaap gravatar imageJaap ( 2018-05-02 11:09:31 +0000 )edit

That works, Thank you so much!

TimeT gravatar imageTimeT ( 2018-05-03 07:55:23 +0000 )edit

I think the documentation could be improved as it certainly reads like a file can passed directly.

grahamb gravatar imagegrahamb ( 2018-05-03 15:22:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-05-01 13:21:09 +0000

Seen: 1,548 times

Last updated: May 01 '18