The only reference I have right now is this post:
https://www.wireshark.org/lists/wireshark-dev/202202/msg00002.html
In my case, the data is sent to the Wireshark machine via netcat (nc), e.g. tcpdump -i any -w - | nc 192.168.1.2 57012
On the Wireshark machine side, I tried to read it using the TCP@ip:port syntax. Tried with both loopback IP 127.0.0.1 and the machine's actual network IP (e.g. 192.168.1.2). But it fails to connect with error returned. Port used is 57012, same port sent to from remote machine.
If I try something like first running on same Wireshark machine a netcat command to receive/listen for the data, like "nc -l 57012", then spin up Wireshark with the TCP@ip:port syntax, then it doesn't complain about connection failure, but I get no data coming through.
What does work for me is if i use netcat and instead pipe the data to Wireshark, e.g. "nc -l 57012 | wireshark -i -", I still have to start capture from UI but then it works.
Or I can swap out the piped wireshark section with "tshark -r -" to see a dump on the terminal. But using tshark with the special TCP syntax also give same issues as Wireshark.
So I wanted to ask how exactly is this syntax feature supposed to work, the normal recommended deployment scenario for how it is used.
It sounds like if using the syntax to connect to a remote machine that is sending/having the data rather than the Wireshark machine querying itself on the localhost network to get at the data works better? How is this setup typically configured or deployed?
Sadly for me, unlike that referenced post, the loopback address doesn't work for me.
There is some brief but not that helpful example mentioned here https://www.netresec.com/?page=Blog&month=2022-08&post=What-is-PCAP-over-IP, it didn't help me in my test setup.