Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] [HELP] How to send bytes to wireshark on runtime

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 6 Aug 2009 18:48:37 -0700

On Aug 6, 2009, at 6:17 PM, Sam Roberts wrote:

On Fri, Jun 5, 2009 at 2:21 AM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
On Jun 4, 2009, at 8:28 PM, Satish Chandra wrote:
Thanks for the information. Well, I have run wireshark many times
and as far as I know...we can only set the interface from where to
capture the packet. How to set it to capture the packet from the
Pipe ?

Use the full pathname of the named pipe as the name of the capture
interface.

Are you sure this works? From within the gui there is no way to enter
paths to capture interfaces that I can see,

Capture -> Options, and type the path into the "Interface:" field in the dialog box.

and the other options:

 wireshark /full/path/to/fifo.pcap

That's not a valid option for that - Wireshark, when run with just a path name as an argument, opens the item at that pathname as a regular file and tries to read it as a capture file (which requires that it be able to seek in that and reread packets, so it can't be a FIFO).

 wireshark -i /full/path/to/fifo.pcap

Also don't work.

It's a bit non-obvious. but if you want Wireshark to start capturing immediately, you have to specify the "-k" flag as well:

	wireshark -i /full/path/to/fifo.pcap -k

Perhaps we should, if "-i" was specified and no file to read was specified, start a capture.

I'm on linux, I've written a utility (in lua, for what it's worth)
that captures ZigBee traffic from a UZBee USB device, and writes it in
pcap format. If I write it to a file, I can read the file, but I would
very much like to write it to a FIFO and see live traffic capture.
Hitting the refresh button continually sucks.

Is there a way to do this?

Yes.

Write the code in C, instead, and add it to libpcap; then either

1) rebuild Wireshark with the version of libpcap you've built and installed

or

2) build and install that libpcap as a shared library (the current top-of-tree Git version of libpcap supports doing that on a number of platforms, including Linux) and set LD_LIBRARY_PATH when running Wireshark so that it works with the version you installed (by default, the library is installed in /usr/local/lib)

or

3) if you're feeling daring, build it as a shared library, save the existing libpcap shared library, and replace it with the new one.

Ask in tcpdump-workers@xxxxxxxxxxx for advice on how to do that.

If you do that, then Wireshark will be able to capture *directly* on the UZBee device, without the need for the utility, or the FIFO.