First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to send tshark output to named pipe in Windows?

I am attempting to use tshark to read pcap(ng) files while redirecting the raw packets to a named pipe. From there my C++ application is intended to read data from the named pipe and do custom processing.

Here is the problem. Whenever I attempt to configure tshark to write to a named pipe, it throws me the following error:

tshark: The file "//./pipe/test_pipe" could not be created because an invalid filename was specified.

This is an example command used to run tshark (read 2 packets from PCAP file, send to named-pipe as raw packets):

tshark.exe -r C:\git\example.pcapng -c 2 -w //./pipe/test_pipe

I am creating the named pipe from my application before calling Wireshark, using the code below:

HANDLE pipe_h = CreateNamedPipe(TEXT("//./pipe/test_pipe"),PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 1024 * 16, 1024 * 16, NMPWAIT_USE_DEFAULT_WAIT, NULL);

Furthermore, I can see that tshark throws a different error if I do not create the pipe before calling tshark.

tshark: The path to the file "//./pipe/test_pipe" doesn't exist

So this tells me that tshark is finding the named pipe, but not liking it for some reason. I also know that tshark is doing something with the named pipe before throwing the error, because the ConnectNamedPipe from my custom app succeeds once I run the tshark command.

The workflow described above works perfectly fine in Ubuntu.

What am I missing? Is this for some reason not supported in Windows?

and08's avatar
1
and08
asked 2023-10-23 18:09:57 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Why bother using a named pipe?

Just call tshark from your C/C++ application, either by using FILE* pipe = _popen("tshark ... -w -", "rb"); or by using the functions pipe, fork and execvp.

André's avatar
176
André
answered 2023-10-28 23:04:40 +0000, updated 2023-10-30 00:01:17 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

tshark man page:

On Windows systems, pipe names must be of the form "\\.\pipe\pipename".

Chuckc's avatar
3k
Chuckc
answered 2023-10-24 11:45:12 +0000, updated 2023-10-24 11:46:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Windows also accepts pipe names with the syntaxes "//./pipe/pipename". I like it better because the escape characters can be avoided.

In either case I have also tried using "\.\pipe\pipename" and "\\.\pipe\pipename" and the result is the same.

Thanks!

and08's avatar and08 (2023-10-25 01:42:29 +0000) edit
more
  • delete

I don't see a way to make a pipe without firing up the compiler. Found an example using Powershell but not sure it would give same results you are seeing. Sorry.

Chuckc's avatar Chuckc (2023-10-25 23:07:11 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer