My Knowledge Base

User Tools

Site Tools


Cisco VIRL PE 1.6 Live Packet Capture with Wireshark 3.0


You may have wanted to do real time capture with Wireshark in VIRL simulation lab like as GNS3 experiense.

GNS3 supports integrated easily Wireshark Live Capture feature.

GNS3 installer will be installed Wireshark, Npcap installed at a time.

In VIRL case, there is packet capture feature. And VM Maestro says can live packet capture.

I found many offline capture documents, but there is few documentation for live capture.

Finally, I found live capture methodologies with Wireshark. I noted this topic detail.

VIRL Live Packet Capture (Windows) - 33250 - The Cisco Learning Network

Thanks a lot great described script!!!!

Capture Environment

  1. VMware vSphere Hypervisor (ESXi) 6.5
  2. Cisco VIRL PE 1.6
    1. IP:

I think VIRL consists OpenStack, and may use internally tcpdump for packet capture, and socat expose to external port.

Expose VIRL tcpdump traffic via socat, and transport with ncat simple TCP connection, and pipe to wireshark STDIN(Standard Input).
Then, Wireshark real time GUI is come up.

virl@virl:~$ ps aux | grep tcpdump
root      3301  0.0  0.0  20980  3224 ?        S    00:04   0:00 /bin/bash /var/local/virl/logs/4438199f-ceda-4acd-a642-f3a7bea4ec57.cmd 4438199f-ceda-4acd-a642-f3a7bea4ec57 socat -U TCP6-LISTEN:'10001,fork,max-children=3' SYSTEM:'timeout 86400 tcpdump -U -i tap6774d374-40 -w - -W 1 -c 1000000 -G 86400 --  | dd bs=1 count=10MB'
root      3302  0.0  0.0  24368  1680 ?        S    00:04   0:00 socat -U TCP6-LISTEN:10001,fork,max-children=3 SYSTEM:timeout 86400 tcpdump -U -i tap6774d374-40 -w - -W 1 -c 1000000 -G 86400 --  | dd bs=1 count=10MB
virl      3490  0.0  0.0  14224  1028 pts/1    S+   00:05   0:00 grep --color=auto tcpdump

following technics applicable for UNIX environments Linux, Mac, and so on.

Client PC Prerequisite

  1. Wireshark 3.0

We install Nmap, but we want to ncat binary actually.

If you install Wireshark 3.x already Npcap may already installed, so you do not need to install Npcap (check off) during Nmap installation process.


Launch VM Maestro and, launch simulation and select capture interface you want.

Click link, right click interface, then navigate Packet Captures, Create new…

Select Live capture on TCP port in General Settings → Capture mode and click OK.

All another fields are optional.

To Identify capture session exposed TCP port, select Open Packet Capture view, then Packet Captures view opend.

Find desired capture session, check Live Port column value.

Launch real time Wireshark session by double clicking script described below, and enter Live Port value.

Original script available here. Thank you again great script!

VIRL Live Packet Capture (Windows) - 33250 - The Cisco Learning Network

Following script configured VIRL PE IP statically for me. So, I launch this script and only need to input VIRL exposed port.

If you customize install Nmap, Wireshark, change NETCAT_PATH, WIRESHARK_PATH.

@echo off

REM This batch file is primarily the work of other users in our community. I have just adapted a simple GUI
REM to make the script more user freindly. 
REM Thank you to user Flex from our Support community for creating the initial batch file
REM Thank you to for your continued input and fun bits. 
REM Make sure that you have installed zenmap ( on your system. 
REM Adapted by:
REM Last Modified: Sep 5, 2017
MODE con:cols=80 lines=12
set NETCAT_PATH=%PROGRAMFILES(x86)%\Nmap\ncat.exe
set WIRESHARK_PATH=%PROGRAMFILES%\Wireshark\Wireshark.exe
set /P PCAP_PORT="Live Port : "
echo Reading live pCap from port %PCAP_PORT%.
echo Close this window to stop capture!

all done!!

You can allocate any shortcut, register your favorite launcher program.

Another Usage: Remote real time packet capture with Wireshark over SSH

This remote captured packet transport and stdin Wireshark capture method applicable any real trouble shooting cases, i.e. identify accessing thread.

Following example using PuTTY, Wireshark, tcpdump.
Capture filter excludes SSH traffic because noisy and amplifing SSH traffic because capctured traffic also transported over SSH.

plink -ssh "sudo tcpdump -w - not port 22" | Wireshark.exe -k -i -


tech/network/virl/live-capture-with-wireshark/live-capture-with-wireshark.txt · Last modified: 2019/11/27 13:34 by wnoguchi