Ask Your Question

How to write/capture a pcap file to test dissector?

asked 2022-11-29 18:30:32 +0000

DavidA_2018 gravatar image

Hi, we have a mature Lua dissector which we need to continue to develop and test.

We have a Client and Server pair of test programs, coded in C++ and connected via TCP/IP. We capture the exchanged packets using Wireshark in order to test the dissector.

My question is how to conveniently capture the packets. We can run on Windows (including WSL) or Linux. We want to avoid using Npcap because of license costs. I guess the obvious solution is to use 3 PCs connected to a switch, to run the client, server and Wireshark. However, that is cumbersome due to the quantity of equipment, particularly if working remotely from the test setup.

Please can anyone suggest a more elegant test configuration, requiring less hardware?

Could a loopback be configured using WSL/WSL2 in Windows, or on a Linux box, in which case all 3 apps could run on the same machine?

Could the C++ client/ server programs write packets directly to a PCAP file for later dissection by Wireshark?

edit retag flag offensive close merge delete


We want to avoid using Npcap because of license costs.

Do you have a custom Wireshark installer? If you only have Lua dissectors, then you should be able to install the stock Wireshark installer with Npcap and not have to worry about licensing costs. From the Npcap License Agreement:

Copies of Npcap do not count toward the five copy, five computer, or
five user limitations imposed by this section if they are installed
and used solely in conjunction with any of the following software:

o The Nmap Security Scanner, as distributed from

o The Wireshark network protocol analyzer, as distributed from

o Microsoft Defender for Identity, as distributed from
cmaynard gravatar imagecmaynard ( 2022-11-29 21:50:42 +0000 )edit

Hi Chris, thanks very much for answering my question. Your reply was very helpful. David.

DavidA_2018 gravatar imageDavidA_2018 ( 2022-11-30 14:22:34 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2022-11-29 19:14:21 +0000

André gravatar image

updated 2022-11-29 19:16:28 +0000

You only need one machine to do the capturing. So I don't understand the comment about license costs. Especially when capturing using Linux is an option.

Yes you can capture localhost traffic or other virtual interfaces, thus using WSL, virtual machines or Docker images.

Yes, a C++ program can create pcap(ng) files using the libpcap library. In this case I would prefer to capture on a NIC.

edit flag offensive delete link more


Thanks for your answer.

DavidA_2018 gravatar imageDavidA_2018 ( 2022-11-30 14:22:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2022-11-29 18:30:32 +0000

Seen: 443 times

Last updated: Nov 29 '22