This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Read filters aren’t supported when capturing and saving the captured packets.

0

Latest stable version 1.6.7 of TShark gives the following error message when trying to capture and save packets at the same time with read filter specified:

C:>"c:Program FilesWireshark_1.6.7tshark.exe" -R sip -w file

tshark: Read filters aren't supported when capturing and saving the captured packets.

This limitation was introduced in version 1.4.0. Earlier versions supported this combination:

C:>"c:Program FilesWireshark_1.3.5tshark.exe" -R sip -w file

Capturing on Intel(R) 82566DM-2 Gigabit Network Connection (Microsoft's Packet Scheduler)

Comment in tshark.c is not too informative regarding this:

    /* Currently, we don't support read filters when capturing
       and saving the packets. */
    if (rfilter != NULL) {
      cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
      return 1;
    }

Anyone knows why this limitation was introduced? Would it be possible to allow -R and -w at the same time again in latest version?

Laszlo BORTEL

asked 23 Apr '12, 03:22

bortel's gravatar image

bortel
1112
accept rate: 0%


One Answer:

0

See "bug" 2234, this is expected behavior after the privilege separation that was created by introducing dumpcap as the capture engine.

answered 23 Apr '12, 06:39

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you very much for the answer - though it does not make me happy.

Is there any workaround to simulate the old behaviour of TShark? Along the lines that I have read in bug 2234 I think of piping the output of the capturing TShark instance into the filtering TShark instance, like this:

C:Program FilesWireshark_1.7.1>tshark.exe -w- | tshark -i- -R dns

Capturing on Standard input Capturing on Intel(R) 82566DM-2 Gigabit Network Connection (Microsoft's Packet Scheduler) tshark: Error reading from pipe: The operation completed successfully. (error 0)

0 packets captured 74

tshark: The file to which the capture was being saved ("-") could not be closed: Invalid argument.

But it does not seem to work on Windows XP with TShark version 1.7.1 ...

(25 Apr '12, 03:30) bortel