Re: PCap-NG support in Wireshark and Tshark

[Guy Harris <guy () alum mit edu>]

On Dec 18, 2013, at 4:46 AM, Matthias Lang <wireshark () matthias fastmail fm> wrote:

> 3. Wireshark can read a Pcap from stdin, but not Pcap-NG.
>
>   The following works fine:
>
> > ./wireshark -r /tmp/dumpcap.pcapng
>
>   But the following gets me a "Unrecognized libpcap format" dialog box:
>
> > ./wireshark -k -i - < /tmp/dumpcap.pcapng
>
>   I get the same dialog box if I do this:
>
> > cat /tmp/dumpcap.pcapng > /tmp/a_named_pipe  &
> > wireshark -k -i /tmp/a_named_pipe

That's better stated as "Wireshark can capture from a pipe if handed a pcap file, but not if handed a pcap-ng file"; 
Wireshark can't *read* from a pipe, but it can *capture* from a pipe and write the packets to a file (the packets 
*have* to be in a file in Wireshark, so that it can seek and re-read arbitrary packets).

And there's currently no code in dumpcap (which is what's reading from the pipe) to handle pcap-ng files, so, no, 
neither Wireshark nor TShark nor dumpcap can capture from a pipe if what's being written to the pipe is a pcap-ng file.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe