After stumbling across another Super User post about loopback packet capture on Windows, I was directed to RawCap, a utility that provides pseudo-capture of loopback packets. RawCap writes to libpcap files that Wireshark can read. This is great for capturing and then displaying the captured data, but I have a use case where I would like to view these packets captured in real time.
Wireshark supports streaming packets from STDIN, but RawCap doesn't support directing its output to STDOUT. It can only write to a file. RawCap does support an option to disable buffering, writing each packet to the file as it comes in.
Is there some third utility I can use, similar to tail that will output contents of a file as it is being written to under windows, so I can pipe from a RawCap capture file to Wireshark in real time?
RawCap -> Intermediate File -> Tail-Like Utility for Binary -> Wireshark STDIN
Best Answer
It turns out I can actually just use
tailfor this. It isn't ideal since it's probably looking for\nin the data before outputting, but there is enough data in packet captures to make this work it seems. Here's what I did:rawcap -f 127.0.0.1 localhost.pcaptail -c +1 -f localhost.pcap | wireshark -k -i -Because RawCap needs your initial terminal, you'll need to start a second one for the tail. Also, obviously substitute in any paths you need.
A bit of a hack, but it works! I can only hope that Wireshark will include shelling RawCap as a more direct method in a future release.