Wireshark-users: Re: [Wireshark-users] remote capture with a pipe: "unrecognized libpcap format"
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Kaz Mir" <k2a1z9@xxxxxxxxx>
Date: Fri, 24 Oct 2008 13:05:07 +0200
Thank you for your answer. I'll let you know if I find a solution to this.

On Fri, Oct 24, 2008 at 10:54 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Oct 24, 2008, at 1:47 AM, KaZ wrote:
>
>> Do you think that printing 2 processes simultaneously into a pipe
>> could be a reason for this error?
>
> Yes.  In fact, I very strongly suspect that it's the reason for the
> error.
>
> You have two process writing (I wouldn't call it "printing", as it's
> writing binary data) to a single pipe, which means that you will get
> buffers full of data from the two processes intermingled.
>
> Libpcap format consists of a fixed-length per-file header, followed by
> a sequence of fixed-length per-packet headers followed immediately by
> the packet data.
>
> Packet boundaries don't necessarily correspond to buffer boundaries,
> and even if they did, there would be no guarantee that you won't get
> part of one packet written into the middle of another packet if you
> have two instances of libpcap writing to the same pipe (or the same
> file).
>
>> Can wireshark read and merge
>> from 2 pipes at once?
>
> No, it cannot.  You'd have to run two separate instances of Wireshark,
> reading from two separate instances of tcpdump, via two different FIFOs.
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>