Something Like UNIX Tee in Windows For Tshark

I have a yealink ip phone that I would like to capture in real time. The phone's web gui will begin downloading / writing to a file using the "enhanced capture" feature. It stops writing when I click "stop capture" in the web gui. Is there a way to tee, "tail", or pipe this to the .pcap file that tshark can read in real time, so that I can ascertain which button presses/features/calls/conferences/transfers on the phone correlate to what packet at what time, as they happen, rather than after the capture? I suspect that the answer is at the Windows OS level or browser/addon/plugin level, and not a tshark feature, but I thought this is the best place to ask.

Also, I'll be switching over to Linux or BSD for troubleshooting in the near future, so what is the proper Linux way to do this?

On Windows, if you have Cygwin installed, you may be able to accomplish this using tail. For example, assuming the web GUI is writing packets to a file, file.pcap, run Wireshark as follows:

tail -f -c +0 -f file.pcap | Wireshark.exe -k -i -

This also works with tshark, but the output is buffered, so in my testing, it's not as real-time and responsive as it is with Wireshark.

It should be possible to apply the same technique on Linux/BSD as well.

Ref: https://wiki.wireshark.org/CaptureSet...

11.1k

cmaynard

answered 2019-10-17 14:46:40 +0000

edit flag offensive 0 remove flag delete link

Comments

Great! Wireshark will work! I thought tshark was a requirement to use tail or tee types of tools.

JustinGoldberg (2019-10-22 18:54:30 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Something Like UNIX Tee in Windows For Tshark edit

Comments

1 Answer

Comments