Need help with "-w -" option to understand, which dump raw packets to stdout

Tejas Patel tejaspatel_20 at
Fri Jul 17 08:35:46 EDT 2020

Hello Experts,

I am writing one utility for one of my project, where currently I create pcap file by dumping packets information capturing through raw socket. But now I am planning to do it same as "tcpdump -i eth0 -w - | wireshark -k -i -" does, simply write to stdout and then I can pipe it to remote machine wireshark so that I can have live capture over there.

Currently I am doing like this, to capture packets to file, and it is working fine. I can open file into wireshark as expected.
write(fileno(fp), &pcapfh, 24);
write(fileno(fp), &pcaphdr, sizeof(pcaphdr));
write(fileno(fp), pkt_ptr, bytes_to_write);

But when I start dump to stdout, as below, it does not work. Wireshark not able to open live capture.
write(fileno(stdout), &pcapfh, 24);
write(fileno(stdout), &pcaphdr, sizeof(pcaphdr));

write(fileno(stdout), pkt_ptr, bytes_to_write);
For example - sshpass -p 'bnpBDE1LmA868lEKa9eQ.0' ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root at /sbin/tcpdump -i eth0 -w - 'not port 22' | wireshark -k -i -My goal is to capture packets from to my local machine with live capture, as per above example.

If anybody can help me to understand format requirement to dump to stdout, so that wireshark can understand live capture, that would be great help.
Br,Tejaskumar Kasundra+91 9004015850

More information about the tcpdump-workers mailing list