Latest stable version 1.6.7 of TShark gives the following error message when trying to capture and save packets at the same time with read filter specified: C:>"c:Program FilesWireshark_1.6.7tshark.exe" -R sip -w file tshark: Read filters aren't supported when capturing and saving the captured packets. This limitation was introduced in version 1.4.0. Earlier versions supported this combination: C:>"c:Program FilesWireshark_1.3.5tshark.exe" -R sip -w file Capturing on Intel(R) 82566DM-2 Gigabit Network Connection (Microsoft's Packet Scheduler) Comment in tshark.c is not too informative regarding this: Anyone knows why this limitation was introduced? Would it be possible to allow -R and -w at the same time again in latest version? Laszlo BORTEL asked 23 Apr '12, 03:22  bortel |
One Answer:
See "bug" 2234, this is expected behavior after the privilege separation that was created by introducing dumpcap as the capture engine. answered 23 Apr '12, 06:39  SYN-bit ♦♦ |
Thank you very much for the answer - though it does not make me happy.
Is there any workaround to simulate the old behaviour of TShark? Along the lines that I have read in bug 2234 I think of piping the output of the capturing TShark instance into the filtering TShark instance, like this:
C:Program FilesWireshark_1.7.1>tshark.exe -w- | tshark -i- -R dns
Capturing on Standard input Capturing on Intel(R) 82566DM-2 Gigabit Network Connection (Microsoft's Packet Scheduler) tshark: Error reading from pipe: The operation completed successfully. (error 0)
0 packets captured 74
tshark: The file to which the capture was being saved ("-") could not be closed: Invalid argument.
But it does not seem to work on Windows XP with TShark version 1.7.1 ...