Wireshark-users: Re: [Wireshark-users] [HELP] How to send bytes to wireshark on runtime
On Aug 6, 2009, at 6:17 PM, Sam Roberts wrote:
On Fri, Jun 5, 2009 at 2:21 AM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
On Jun 4, 2009, at 8:28 PM, Satish Chandra wrote:
Thanks for the information. Well, I have run wireshark many times
and as far as I know...we can only set the interface from where to
capture the packet. How to set it to capture the packet from the
Pipe ?
Use the full pathname of the named pipe as the name of the capture
interface.
Are you sure this works? From within the gui there is no way to enter
paths to capture interfaces that I can see,
Capture -> Options, and type the path into the "Interface:" field in
the dialog box.
and the other options:
wireshark /full/path/to/fifo.pcap
That's not a valid option for that - Wireshark, when run with just a
path name as an argument, opens the item at that pathname as a regular
file and tries to read it as a capture file (which requires that it be
able to seek in that and reread packets, so it can't be a FIFO).
wireshark -i /full/path/to/fifo.pcap
Also don't work.
It's a bit non-obvious. but if you want Wireshark to start capturing
immediately, you have to specify the "-k" flag as well:
wireshark -i /full/path/to/fifo.pcap -k
Perhaps we should, if "-i" was specified and no file to read was
specified, start a capture.
I'm on linux, I've written a utility (in lua, for what it's worth)
that captures ZigBee traffic from a UZBee USB device, and writes it in
pcap format. If I write it to a file, I can read the file, but I would
very much like to write it to a FIFO and see live traffic capture.
Hitting the refresh button continually sucks.
Is there a way to do this?
Yes.
Write the code in C, instead, and add it to libpcap; then either
1) rebuild Wireshark with the version of libpcap you've built and
installed
or
2) build and install that libpcap as a shared library (the current
top-of-tree Git version of libpcap supports doing that on a number of
platforms, including Linux) and set LD_LIBRARY_PATH when running
Wireshark so that it works with the version you installed (by default,
the library is installed in /usr/local/lib)
or
3) if you're feeling daring, build it as a shared library, save the
existing libpcap shared library, and replace it with the new one.
Ask in tcpdump-workers@xxxxxxxxxxx for advice on how to do that.
If you do that, then Wireshark will be able to capture *directly* on
the UZBee device, without the need for the utility, or the FIFO.