Capture Pcap

Packet Headwaters
3 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: Wireshark Docs

Piping with *shark

Piping is important to using many of these utilities. For example, it is not really possible to use rawshark without piping as it expects a FIFO or stream.

Utility stdin formats input formats stdout formats output formats (default)
capinfos - *pcaps1 report2 -
dumpcap - - rawpcap *pcaps (pcapng)3
editcap - *pcaps - *pcaps (pcapng)
mergecap - *pcaps - *pcaps (pcapng)
randpkt - - - (pcap)
rawshark raw pcap4 - report -
reordercap - *pcaps - (Same as input)
text2pcap hexdump5 - - (pcap), pcapng
tshark raw pcap *pcaps *many6 *pcaps, (pcapng)

  1. *pcaps: All pcap types available on the system (use tshark -F to list).
  2. report: Tabular or “machine-readable” data about a file.
  3. (): The default output file format for a given tool.
  4. raw pcap: The raw bytes of the pcap header and packets. Can be generated with cat $file | ..., read by piping to ... | tshark -r -, and saved with ... > $file.
  5. hexdump: A formatted hexdump can be canonically generated by od -Ax -tx1 -v. As of Wireshark v3.0.0, tshark -r <my.pcap> -x will usually generate this as well. If hexdump is stream, send to text2pcap as <commands>... | text2pcap - <outfile>. Otherwise if it’s a file, use text2pcap <infile> <outfile>.
  6. *many: Tshark is the most versatile in terms of output:
  • rawpcap (-w -)
  • Report (-G)
  • PDU Subtrees (-V)
  • Packet Representations (accessible with -T)
    • Line-based: One line per packet
      • text (default): Abbreviated packets with one per line
      • tabs: Same as text, but uses tab as delimiter
      • fields: Specify which values of the packet to show with display filters
    • JSON-based
      • json: All the json, all the time.
      • jsonraw:
      • ek:
    • XML-based
      • pdml:
      • psml:
    • PS-based
      • ps: Adobe PostScript file that con be converted to pdf

Using temp files instead of pipes

In bash, it’s possible to create temporary files to mimic using a pipe. In this example, editcap can only read files, so create a temp file, send filtered tshark output to it, and then read it from editcap to make further alterations.

tshark -r dhcp.pcap -Y "dhcp.type == 1" -w $tempfile
editcap $tempfile dhcp2.pcap -a 1:"Cool story bro!"

Pipe Types

An anonymous pipe sends the output of one command to another. A named pipe (aka FIFO) is a file created by mkfifo from which data can be read and to which data can be sent, by different processes. More information about each can be found in this stackexchange post

Anonymous Pipe

In this example, tshark reads packets and sends the packet bytes to stdout. The stdout is written to the pipe which is sent to the stdin of a second tshark process.

# You may need to use sudo to capture
tshark -w - | tshark -r -

This is equivalent to tshark -r $file, only using a pipe and an extra tshark process to demonstrate send/recv on |.

If you are reading from stdin, then the data stream MUST conform to a capture type that tshark knows how to parse. This means, for example, that a pcap file needs to send the pcap header first or the packets that come after won’t be parsed.

Named Pipe

You can also read from a pipe like so:

mkfifo myfifo
# You may need to use sudo to capture
tshark -w myfifo & tshark -i myfifo

Confusingly, reading a pipe is through -i even though a named pipe is a file descriptor.