I am looking for a way to combine multiple named pipes containing pcap data into one single pipe that can be used as input into Wireshark. As a fictitious and non-working example, I am trying to do something like this:
(Of course, tshark would be much better suited to this specific example as I could specify multiple interfaces with it and obviate the need of named pipes altogether. In reality however, each of the tcpdumps will be executed on different remote hosts and their output will be piped to the local machine.)
I am trying to find a way to merge those separate streams into one so that I can view them all in wireshark simultaneously and in real-time. If mergecap cannot do it, are there any other tools you have used for this? Also, I have a tool that should merged arbitrary named pipes, but in order to make sure the packet data is not scrambled, I need to provide a separator. Does the pcap format have a standard separator between packets?
asked 16 Feb, 13:36
No. The pcap format has a fixed-length header at the beginning of a file, followed by a sequence of records for packets; each packet record has a fixed-length header that includes a time stamp, an "on the wire" length for the packet, and a "number of bytes captured" length for the packet, followed by the packet data. The "number of bytes captured" length specifies the number of bytes of packet data.
answered 16 Feb, 15:18
Guy Harris ♦♦
In case you're unaware, Wireshark can read from multiple interfaces. I have experimented a bit with a possible solution for you using
answered 17 Feb, 14:31