My Knowledge Base

User Tools

Site Tools


This is an old revision of the document!

Cisco VIRL PE 1.6 Live Packet Capture with Wireshark 3.0


You may have wanted to do real time capture with Wireshark in VIRL simulation lab like as GNS3 experiense.

GNS3 supports integrated easily Wireshark Live Capture feature.

GNS3 installer will be installed Wireshark, Npcap installed at a time.

In VIRL case, there is packet capture feature. And VM Maestro says can live packet capture.

I found many offline capture documents, but there is few documentation for live capture.

Finally, I found live capture methodologies with Wireshark. I noted this topic detail.

VIRL Live Packet Capture (Windows) - 33250 - The Cisco Learning Network

Capture Environment

  1. VMware vSphere Hypervisor (ESXi) 6.5
  2. Cisco VIRL PE 1.6
    1. IP:

I think VIRL consists OpenStack, and may use internally tcpdump for packet capture, and socat expose to external port.

Expose VIRL tcpdump traffic via socat, and transport with ncat simple TCP connection, and pipe to wireshark STDIN(Standard Input).
Then, Wireshark real time GUI is come up.

following technics applicable for UNIX environments Linux, Mac, and so on.

Client PC Prerequisite

  1. Wireshark 3.0

We install Nmap, but we want to ncat binary actually.

If you install Wireshark 3.x already Npcap may already installed, so you do not need to install Npcap (check off) during Nmap installation process.

virl@virl:~$ ps aux | grep tcpdump
root      3301  0.0  0.0  20980  3224 ?        S    00:04   0:00 /bin/bash /var/local/virl/logs/4438199f-ceda-4acd-a642-f3a7bea4ec57.cmd 4438199f-ceda-4acd-a642-f3a7bea4ec57 socat -U TCP6-LISTEN:'10001,fork,max-children=3' SYSTEM:'timeout 86400 tcpdump -U -i tap6774d374-40 -w - -W 1 -c 1000000 -G 86400 --  | dd bs=1 count=10MB'
root      3302  0.0  0.0  24368  1680 ?        S    00:04   0:00 socat -U TCP6-LISTEN:10001,fork,max-children=3 SYSTEM:timeout 86400 tcpdump -U -i tap6774d374-40 -w - -W 1 -c 1000000 -G 86400 --  | dd bs=1 count=10MB
virl      3490  0.0  0.0  14224  1028 pts/1    S+   00:05   0:00 grep --color=auto tcpdump


Original script available here.

VIRL Live Packet Capture (Windows) - 33250 - The Cisco Learning Network

Following script configured VIRL PE IP statically.

@echo off
REM This batch file is primarily the work of other users in our community. I have just adapted a simple GUI
REM to make the script more user freindly. 
REM Thank you to user Flex from our Support community for creating the initial batch file
REM Thank you to for your continued input and fun bits. 
REM Make sure that you have installed zenmap ( on your system. 
REM Adapted by:
REM Last Modified: Sep 5, 2017
MODE con:cols=80 lines=12
set NETCAT_PATH=%PROGRAMFILES(x86)%\Nmap\ncat.exe
set WIRESHARK_PATH=%PROGRAMFILES%\Wireshark\Wireshark.exe
set /P PCAP_PORT="Live Port : "
echo Reading live pCap from port %PCAP_PORT%.
echo Close this window to stop capture!

double click or register your favorite launcher program.

all done!!

Another Usage: Remote real time packet capture with Wireshark over SSH

This remote captured packet transport and stdin Wireshark capture method applicable any real trouble shooting cases, i.e. identify accessing thread.

Following example using PuTTY, Wireshark, tcpdump.
Capture filter excludes SSH traffic because noisy and amplifing SSH traffic because capctured traffic also transported over SSH.

plink -ssh "sudo tcpdump -w - not port 22" | Wireshark.exe -k -i -


tech/network/virl/live-capture-with-wireshark/live-capture-with-wireshark.1574827042.txt.gz · Last modified: 2019/11/27 12:57 by wnoguchi