Wireshark-users: Re: [Wireshark-users] [HELP] How to send bytes to wireshark on runtime
From: Guy Harris <[email protected]>
Date: Thu, 6 Aug 2009 18:48:37 -0700
On Aug 6, 2009, at 6:17 PM, Sam Roberts wrote:

On Fri, Jun 5, 2009 at 2:21 AM, Guy Harris<[email protected]> wrote:
On Jun 4, 2009, at 8:28 PM, Satish Chandra wrote:
Thanks for the information. Well, I have run wireshark many times
and as far as I know...we can only set the interface from where to
capture the packet. How to set it to capture the packet from the
Pipe ?
Use the full pathname of the named pipe as the name of the capture
Are you sure this works? From within the gui there is no way to enter
paths to capture interfaces that I can see,
Capture -> Options, and type the path into the "Interface:" field in  
the dialog box.
and the other options:

 wireshark /full/path/to/fifo.pcap
That's not a valid option for that - Wireshark, when run with just a  
path name as an argument, opens the item at that pathname as a regular  
file and tries to read it as a capture file (which requires that it be  
able to seek in that and reread packets, so it can't be a FIFO).
 wireshark -i /full/path/to/fifo.pcap

Also don't work.
It's a bit non-obvious. but if you want Wireshark to start capturing  
immediately, you have to specify the "-k" flag as well:
	wireshark -i /full/path/to/fifo.pcap -k

Perhaps we should, if "-i" was specified and no file to read was specified, start a capture.
I'm on linux, I've written a utility (in lua, for what it's worth)
that captures ZigBee traffic from a UZBee USB device, and writes it in
pcap format. If I write it to a file, I can read the file, but I would
very much like to write it to a FIFO and see live traffic capture.
Hitting the refresh button continually sucks.

Is there a way to do this?

Write the code in C, instead, and add it to libpcap; then either

1) rebuild Wireshark with the version of libpcap you've built and installed

2) build and install that libpcap as a shared library (the current top-of-tree Git version of libpcap supports doing that on a number of platforms, including Linux) and set LD_LIBRARY_PATH when running Wireshark so that it works with the version you installed (by default, the library is installed in /usr/local/lib)

3) if you're feeling daring, build it as a shared library, save the existing libpcap shared library, and replace it with the new one.
Ask in [email protected] for advice on how to do that.

If you do that, then Wireshark will be able to capture *directly* on the UZBee device, without the need for the utility, or the FIFO.