Quicklinks: Wireshark Docs
Piping is important to using many of these utilities. For example, it is not really possible to use rawshark without piping as it expects a FIFO or stream.
|Utility||stdin formats||input formats||stdout formats||output formats (default)|
|reordercap||-||*pcaps||-||(Same as input)|
|tshark||raw pcap||*pcaps||*many6||*pcaps, (pcapng)|
tshark -Fto list).
cat $file | ..., read by piping to
... | tshark -r -, and saved with
... > $file.
od -Ax -tx1 -v. As of Wireshark v3.0.0,
tshark -r <my.pcap> -xwill usually generate this as well. If hexdump is stream, send to text2pcap as
<commands>... | text2pcap - <outfile>. Otherwise if it’s a file, use
text2pcap <infile> <outfile>.
In bash, it’s possible to create temporary files to mimic using a pipe. In this example, editcap can only read files, so create a temp file, send filtered tshark output to it, and then read it from editcap to make further alterations.
tempfile=$(mktemp) tshark -r dhcp.pcap -Y "dhcp.type == 1" -w $tempfile editcap $tempfile dhcp2.pcap -a 1:"Cool story bro!"
An anonymous pipe sends the output of one command to another.
A named pipe (aka FIFO) is a file created by
mkfifo from which data can be read and to which data can be sent, by different processes.
More information about each can be found in this stackexchange post
In this example, tshark reads packets and sends the packet bytes to stdout. The stdout is written to the pipe which is sent to the stdin of a second tshark process.
# You may need to use sudo to capture tshark -w - | tshark -r -
This is equivalent to
tshark -r $file, only using a pipe and an extra tshark process to demonstrate send/recv on
If you are reading from stdin, then the data stream MUST conform to a capture type that tshark knows how to parse. This means, for example, that a pcap file needs to send the pcap header first or the packets that come after won’t be parsed.
You can also read from a pipe like so:
mkfifo myfifo # You may need to use sudo to capture tshark -w myfifo & tshark -i myfifo
Confusingly, reading a pipe is through
-i even though a named pipe is a file descriptor.