OSQA is unmaintained. Help us figure out where to go from here.

I am looking for a way to combine multiple named pipes containing pcap data into one single pipe that can be used as input into Wireshark. As a fictitious and non-working example, I am trying to do something like this:

mkfifo trace1
mkfifo trace2
mkfifo trace3
mergecap -w - trace1 trace2 trace3 | wireshark -k -i - &
tcpdump -i eth1 -s0 -w - > trace1 &
tcpdump -i eth2 -s0 -w - > trace2 &
tcpdump -i eth3 -s0 -w - > trace3 &

(Of course, tshark would be much better suited to this specific example as I could specify multiple interfaces with it and obviate the need of named pipes altogether. In reality however, each of the tcpdumps will be executed on different remote hosts and their output will be piped to the local machine.)

I am trying to find a way to merge those separate streams into one so that I can view them all in wireshark simultaneously and in real-time. If mergecap cannot do it, are there any other tools you have used for this? Also, I have a tool that should merged arbitrary named pipes, but in order to make sure the packet data is not scrambled, I need to provide a separator. Does the pcap format have a standard separator between packets?

Thanks!

asked 16 Feb, 13:36

Lemurshark's gravatar image

Lemurshark
26349
accept rate: 0%


Does the pcap format have a standard separator between packets?

No. The pcap format has a fixed-length header at the beginning of a file, followed by a sequence of records for packets; each packet record has a fixed-length header that includes a time stamp, an "on the wire" length for the packet, and a "number of bytes captured" length for the packet, followed by the packet data. The "number of bytes captured" length specifies the number of bytes of packet data.

link

answered 16 Feb, 15:18

Guy%20Harris's gravatar image

Guy Harris ♦♦
16.9k335192
accept rate: 19%

In case you're unaware, Wireshark can read from multiple interfaces. I have experimented a bit with a possible solution for you using tcpdump and libpcap versions 4.9.0 and 1.8.1, respectively. Below is the contents of a script I ran to successfully test this. Perhaps it's useful to you?

#!/bin/sh

# Remove pipes in case there are any unread data.
# (May not be completely necessary but doesn't hurt.)
rm -f sharkfin1 sharkfin2

# Create pipes, 1 per interface:
mkfifo sharkfin1 &> /dev/null
mkfifo sharkfin2 &> /dev/null

# Start wireshark, reading from sharkfin1 and sharkfin2 pipes
wireshark -k -i sharkfin1 -i sharkfin2 &

# Begin capture on relevant interfaces and write packets to pipes
filter=icmp
tcpdump --immediate-mode -U -i eth0 -w sharkfin1 $filter &
tcpdump --immediate-mode -U -i eth1 -w sharkfin2 $filter &
wait

link

answered 17 Feb, 14:31

cmaynard's gravatar image

cmaynard ♦
9.0k836140
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×1,542
×790
×91
×14
×3

Asked: 16 Feb, 13:36

Seen: 194 times

Last updated: 17 Feb, 14:31

p​o​w​e​r​e​d by O​S​Q​A