This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Show packet data in real-time during capture

0

Is there a way to view a packet stream in real time? What I mean by this can kind of be simulated by holding ctrl+end during a capture and watching the Packet Bytes view. Not all packets need to be displayed, just the latest one.

This is useful in certain situations such as monitoring a live udp stream while manipulating an application.

Thanks

asked 12 May '11, 09:10

Hugh%20Jeffner's gravatar image

Hugh Jeffner
6112
accept rate: 0%

You can turn on Auto Scroll in Live Capture, but you still need to hit CTRL+end to view the packet bytes of the last packet.

(12 May '11, 10:21) joke

2 Answers:

2

Stealing Geralds idea and enhancing it with some awk magic might do the trick for you:

tcpdump -nlX -i en1 | awk '$1~"..:..:.." {system("clear")} {print}'

This will capture traffic and shows it straight away (without name-resolving nor buffering). Then the awk will clear the screen on every first line of tcpdump output of each packet.

answered 13 May '11, 10:49

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

It doesn't have the performance I was hoping for but it does work. -Thanks

(13 May '11, 17:04) Hugh Jeffner

1

You can sort of do this in the GUI as Joke describes, but it might make more sense to do this on the command line using tshark -x or tcpdump -X.

answered 12 May '11, 11:12

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

This looks promising, but it scrolls by way too fast. Is there an easy way to pipe the output to display only the most recent packet? I basically need to write each packet output to the same area of the screen.

(12 May '11, 12:56) Hugh Jeffner