Packet Input

It's frequently asked how to get packet data into Wireshark, when the common ways are not really suitable.

For live capturing, the CaptureSetup page will give a comprehensive overview about the ways that are already implemented.

The following page is about to choose the first steps to develop features not available yet.

The way to choose will depend if you just have some capture files in a format Wireshark don't understand, or if you really want to capture live network data in a way libpcap/WinPcap don't support.

Loading an existing file (with an unknown file format)

So you have an external application (or a file of it), which produces network packet data in a file format Wireshark don't understand.

You could (in the preferred order):

It's pretty easy to add another file format to wiretap (you must know that file format, of course). Further information can be found in the README files in the wiretap directory of the Wireshark sources.

Capturing from a physical network device

So you have some special hardware and want to get that captured data into Wireshark.

Unfortunately, this task will be almost certainly platform dependent.

Improve the existing way (OS driver/libpcap/WinPCap)

The standard capturing will use the network card driver of the operating system and libpcap/WinPcap to actually capture the packet data.

Improving this is the preferred way to get things done, as all applications using libpcap/WinPcap will benefit from this effort.

For the common network hardware types, most (if not all) of the development work is already done. You'll find an overview at the Supported Capture Media page. So the work left to do is to write a network card driver for the OS you are using (and probably for other OS's as well).

For network hardware, e.g. very special or brand new, you may have to do some more work.



So if you want to do it this way, you should contact the libpcap/WinPcap teams about your project, as this is not the subject of the Wireshark team.

Write your own capture application

If you don't want to use the standard way, you could write own capture application from scratch.



This might be an option if you already have some proprietary mechanism (e.g. a vendor based library) to get the capture data.

Capturing from a pipe

If you know how, you can do a lot of strange things using pipes 😃

See the CaptureSetup page for details.

Imported from on 2020-08-11 23:12:57 UTC