Pipes

Packet Headwaters
3 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: Wireshark Docs


Piping with *shark

Piping is important to using many of these utilities. For example, it is not really possible to use rawshark without piping as it expects a FIFO or stream.

Utility stdin formats input formats stdout formats output formats (default)
capinfos - *pcaps1 report2 -
dumpcap - - rawpcap *pcaps (pcapng)
editcap - *pcaps - *pcaps (pcapng)
mergecap - *pcaps - *pcaps (pcapng)
randpkt - - - (pcap)
rawshark raw pcap3 - report -
reordercap - *pcaps - (Same as input)
text2pcap hexdump4 - - (pcap), pcapng
tshark raw pcap *pcaps *many5 *pcaps, (pcapng)

  1. *pcaps: All pcap types available on the system (use tshark -F to list).
  2. report: Tabular or “machine-readable” data about a file.
  3. rawpcap: The raw bytes of the pcap header and packets. Can be generated with cat $file | ..., read by piping to ... | tshark -r -, and saved with ... > $file.
  4. hexdump: A formatted hexdump can be canonically generated by od -Ax -tx1 -v. As of Wireshark v3.0.0, tshark -r <my.pcap> -x will usually generate this as well. If hexdump is stream, send to text2pcap as <commands>... | text2pcap - <outfile>. Otherwise if it’s a file, use text2pcap <infile> <outfile>.
  5. *many: Tshark is the most versatile in terms of output:
    • rawpcap (-w -)
    • Report (-G)
    • Packet Representations (accessible with -T)
    • text-based: text and tab are the same except for the tab delimiter
      • text/tabs (default): Abbreviated packets with one per line
      • text/tabs -V: PDU Subtrees
    • JSON-based
      • json
      • jsonraw
      • ek
    • XML-based
      • pdml
      • psml

Using temp files instead of pipes

In bash, it’s possible to create temporary files to mimic using a pipe. In this example, editcap can only read files, so create a temp file, send filtered tshark output to it, and then read it from editcap to make further alterations.

tempfile=$(mktemp)
tshark -r dhcp.pcap -Y "dhcp.type == 1" -w $tempfile
editcap $tempfile dhcp2.pcap -a 1:"Cool story bro!"

Pipe Types

An anonymous pipe sends the output of one command to another. A named pipe (aka FIFO) is a file created by mkfifo from which data can be read and to which data can be sent, by different processes. More information about each can be found in this stackoverflow post

Anonymous Pipe

In this example, tshark reads packets and sends the packet bytes to stdout. The stdout is written to the pipe which is sent to the stdin of a second tshark process.

# You may need to use sudo to capture
tshark -w - | tshark -r -

This is equivalent to tshark -r $file, only using a pipe and an extra tshark process to demonstrate send/recv on |.

If you are reading from stdin, then the data stream MUST confrom to a capture type that tshark knows how to parse. This means, for example, that a pcap file needs to send the pcap header first or the packets that come after won’t be parsed.

Named Pipe

You can also read from a pipe like so:

mkfifo myfifo
# You may need to use sudo to capture
tshark -w myfifo & tshark -i myfifo

Confusingly, reading a pipe is through -i even though a named pipe is a file descriptor.