Ask Your Question
0

Stream tcpdump output to Wireshark GUI

asked 2025-04-11 18:33:57 +0000

Kentzo gravatar image

Output of tcpdump can be fed directly to Wireshark via:

$ tcpdump -s 0 -Un -w - | /Applications/Wireshark/Wireshark.app/Contents/MacOS/Wireshark -k -i -

And if tcpdump and Wireshark run on different machines one can do

$ tcpdump -s 0 -Un -w - | nc 192.0.2.1 8080  
$ nc -k -l 8080 | /Applications/Wireshark/Wireshark.app/Contents/MacOS/Wireshark -k -i -

But I wonder if it's possible to initiate listening for a tcpdump stream from within Wireshark GUI (for convenience). I know that there is "UDP Listener Remote capture" that makes Wireshark to listen on a particular port for data of a patricular format. However, what format do I need to specify so Wireshark can interpret the tcpdump stream? I tried data, pcap and pcapng but it didn't work.

edit retag flag offensive close merge delete

Comments

I think there is an alignment issue. tcpdump is writing a stream. Testing on a mac, nc breaks the stream into 1024 byte chunks. The "UDP Listener" is expecting discrete packets.
If tcpdump could be told to only write packet data (with no file header) and nc told when to send each packet, then there might be a chance at dissecting the Exported PDUs.

Chuckc gravatar imageChuckc ( 2025-04-12 03:03:10 +0000 )edit
add a comment

3 Answers

Sort by » oldest newest most voted
0

answered 2025-04-12 03:26:46 +0000

Chuckc gravatar image

updated 2025-04-12 03:48:12 +0000

4.6. The “Manage Interfaces” Dialog Box
Wireshark can capture from a pipe. If the nc -k -l 8080 can write to a pipe or FIFO, Wireshark can read it.

The tshark man page has a little better description of the pipe syntax.

Pipe names should be either the name of a FIFO (named pipe) or "-" to read data from the standard input. On Windows systems, pipe names must be of the form "\.\pipe\pipename". Data read from pipes must be in standard pcapng or pcap format. Pcapng data must have the same endianness as the capturing host.

mkfifo -m 777 /tmp/ws_fifo
nc -l 5555 > /tmp/ws_fifo

tcpdump -i 1 -w - | nc 127.0.0.1 5555

If you are adventurous, you could write your own extcap driver:
8.2. Adding Capture Interfaces And Log Sources Using Extcap

edit flag offensive delete link more
add a comment
0

answered 2025-04-13 09:08:42 +0000

Guy Harris gravatar image

dumpcap, and thus both TShark and Wireshark (which use dumpcap to capture traffic), supports "TCP@<host>:<port>" as a specification for a capture source.

This causes dumpcap to attempt to connect to the given port on the given host, so there must be something on that host listening for connection attempts to that port before starting the capture.

This means that nc, for example, must be run with the -l flag on the machine from which the packets will be sent; there is no equivalent to nc -k -l <port> | wireshark -k -i - - you would have to do something such as tcpdump -s 0 -Un -w - | nc -l <port> on the host from which the packets will be sent.

Unfortunately, that will cause packets to pile up until dumpcap tries to connect, which may cause packets to be dropped.

It might be useful to add a syntax to dumpcap to support it listening for connections rather than attempting to make a connection, e.g. "TCP@<listen>:port" (where "<listen>" is literally that string), or "TCP@<port>" or "TCP@:<port>", allowing the equivalent of nc -k -l <por> | wireshark -k -i -.

edit flag offensive delete link more

Comments

Where in the Wireshark GUI can I specify TCP@<host>:<port> to connect to?

Kentzo gravatar imageKentzo ( 2025-04-13 15:57:13 +0000 )edit

It's documented with the -i (interface) option in the dumpcap, tshark and wireshark man pages.
You can specify it in the Wireshark gui in the Pipes tab of 4.6. The “Manage Interfaces” Dialog Box.

Chuckc gravatar imageChuckc ( 2025-04-13 17:12:21 +0000 )edit

You can specify it in the Wireshark gui in the Pipes tab

Not obvious - perhaps it should be renamed "Pipes and Sockets".

Guy Harris gravatar imageGuy Harris ( 2025-04-14 02:15:46 +0000 )edit

13353: Remote pcap: Store active hosts in a preference file, recent hosts in a list
There is a bug with how it's handled now so maybe a chance to rework the gui?

Chuckc gravatar imageChuckc ( 2025-04-14 12:14:11 +0000 )edit
add a comment
0

answered 2025-04-11 19:11:15 +0000

SYN-bit gravatar image

You can use sshdump to do that, it's in the installer under "tools", AFAIK it is not installed by default, so you will have to enable it during installation.

edit flag offensive delete link more

Comments

It is an option, but it requires a running SSH server as well as an SSH user on the target machine that can run tcpdump. All in all it is more work (and administrative burden) than `tcpdump <-> nc <-> Wireshark approach in OP which I almost like except that I must keep a terminal session in addition to the gui app.

Kentzo gravatar imageKentzo ( 2025-04-11 19:47:44 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-04-11 18:33:57 +0000

Seen: 59 times

Last updated: yesterday

Related questions

Step by step SSL decrypt with wireshark

Add custom option to toolbar in wireshark GUI

Unable to write to standard output: The pipe is being closed.

Ignored Unknown Record

Can't see encrypted application data in SSL session

How to use rawshark to analyse a pcap file which is generated by tcpdump?

Link layer header type for serial/UART communication

Under what source folder is the code to edit the statistics tab of the UI?

TCP Retransmission requests from IPTV Server and TCP Dup Ack Requests from Client

How set GUI dimensions/location with "-o prefname:value"