Live Packet Capture in Wireshark With GNS3

By stretch | Wednesday, April 6, 2011 at 1:13 a.m. UTC

Dynagen and its complementary GUI GNS3 provide the very handy ability to capture traffic sent between emulated devices. Packets are written to a capture file on disk, which can then be opened with a packet analyzer like Wireshark. The only downside to this is that the traffic does not appear live in the analysis application; the capture buffer is populated only with the pakcets which have been recorded up to that point.

In Wireshark, the contents of a capture file can be refreshed by pressing Ctrl+R, but this requires tedious manual intervention and navigating to the end of the buffer every time. After taking a clue from the Wireshark wiki I was able to modify the way in which Wireshark reads capture files generated by Dynagen/GNS3 and achieve a near-real-time view of the traffic, as if it was being sniffed from a physical interface. My solution should work on all UNIX-like systems (e.g. Linux), but Windows users will have to look elsewhere.

The trick is to continuously dump the capture file being written by Dynagen to standard output, which can be fed to Wireshark as standard input. Open the preferences dialog in GNS3 (Edit > Preferences...) and select capture preferences. Modify the default Wireshark command from /usr/bin/wireshark %c to read as follows. (Thanks to e36freak in #bash on Freenode for assistance manipulating the shell command to work in GNS3!)

tail --bytes=+0 -f %c | wireshark -k -i -


Also, check the option to automatically start the command when capturing.

Here's how the command works: The tail executable with the -f argument constantly outputs the content of the capture file as it is written. The --bytes=+0 bit instructs tail to begin from the first byte of the file. (This part is optional, but recommended to avoid "unknown libpcap format" errors in Wireshark.) The output of tail is piped to Wireshark. Wireshark's arguments instruct it to begin capturing immediately from standard input.

Now, Wireshark should start immediately after selecting a capture interface and its capture buffer should be updated nearly in real-time. Tail introduces a ~1-second delay, which can be tweaked with the -s argument if desired.


You might receive an error indicating that the capture file "is empty, no traffic captured on the link." This simply means that no packets were captured in the time between initiating the capture and starting Wireshark. Right-clicking on the interface in GNS3 again and selecting "Start Wireshark" a moment later should resolve it (assuming there is traffic flowing across the interface being captured).

The solution described here will also work using Dynagen alone: Simply execute the command above by hand, substituting %c with the appropriate file name.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Tips and Tricks


arth (guest)
April 6, 2011 at 8:33 a.m. UTC

Nice article, I used to have the same problem in Windows which I wanted to capture packets on Wireshark from Dynagen in Windows.

Well, I don't know whether is there a better solution, here's how I did it:

Create 2 loopback adapters in Windows.

Then map the router interfaces in the network file to the loopback adapter:

R1 E0/0 -> Windows Loopback Adapter1

R2 E0/0 -> Windows Loopback Adapter2

We can then bridge the 2 loopback adapters in Windows and startup Wireshark to monitor these "real" interfaces while we generate traffic in Dynagen.

Hope this fill in the blanks for Windows users and they might not have to look elsewhere!

chris (guest)
April 6, 2011 at 12:49 p.m. UTC

Well, technically it is Dynamips that creates the PCAP files (this part of code was written by Greg Anuzelli, who also wrote Dynagen).

April 6, 2011 at 1:52 p.m. UTC

Great idea!

bi0os (guest)
April 6, 2011 at 6:41 p.m. UTC

Just install the tail for windows and follow the howto =)

April 9, 2011 at 12:23 p.m. UTC


on linux, i use to attach links i want to sniff on in a tap device:

(as root) tunctl -u YourUsername

this creates a tapX device you can use.

Than attach that in the cloud and.. just sniff locally.

See ya ;)

April 13, 2011 at 4:19 a.m. UTC

Add star
sarath kumar Wed, Apr 13, 2011 at 9:41 AM
Reply | Reply to all | Forward | Print | Delete | Show original
please send procedure for token bus,token ring ,packet
transmission,link state algorithm,distance vector routing
algorithm,goback N ARQ,selecitve rejectarq

April 23, 2011 at 11:35 p.m. UTC

This worked great with Ubuntu Desktop 10.10, GNS3 0.7.3 and Wireshark 1.2.11.
Thanks for another great article.

May 17, 2011 at 6:35 a.m. UTC

I am trying to do the same under windows, what I know now is that if I press CRTL+R I refresh the packet capture, but still not "real time capture".

Kind regards

May 19, 2011 at 4:34 p.m. UTC

hello All, recently my colleague told me that he tried SPAN or RSPAN for live Wireshark captures in GNS, he connected a router with switch module and directed traffic to loopback on his physical machine (his laptop) and got live captures, what do you think about it ?

Jeremy (guest)
June 13, 2012 at 5:28 a.m. UTC


FYI, newer versions of GNS3 now support live traffic capture with Wireshark.

September 19, 2012 at 8:40 p.m. UTC

Jeremy, its awesome. Thats why I love linux!

February 2, 2013 at 10:45 a.m. UTC

thanks for the article. works like a charm

ali.abry (guest)
August 22, 2013 at 9:41 a.m. UTC

Thanks man . it worked perfectly.

thanh (guest)
November 26, 2013 at 3:01 a.m. UTC

Thank you very much!

Comments have closed for this article due to its age.