This is a static archive of our old Q&A Site. Please post any new questions and answers at

Changing Display Filter to Capture Filter


In a previous question, I received some excellent explanation for a display filter. Now, I would like to use that filter with tshark. When I use the current one with tshark, I get a message that says it's a valid display filter but not a valid capture filter. What are the differences?

The display filter suggested was

udp.port==9565 or udp.port==9570 or udp.port==6000 or tcp.port==9946 or tcp.port==9988 or tcp.port==42124 or (tcp.port>=10000 and tcp.port<=20000)

asked 08 May '12, 21:54

Perceptus's gravatar image

accept rate: 0%

edited 09 May '12, 00:31

helloworld's gravatar image


One Answer:


As answer in the other question.

The syntax of display filters is totally different from the syntax of capture filters.

You can use this capture filter.

(udp and (port 9565 or port 9570 or port 6000)) or (tcp and (port 9946 or port 9988 port 42124 or portrange 10000-20000))

portrange works at least with 1.6.2. (just tested). If it does not work with an earlier versions (not checked), please upgrade.


answered 08 May '12, 22:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 09 May '12, 00:32

Do you have a link for where I can find out this information? Your answer is exactly what I was looking for. I tried to search the online documentation for the information you gave but I keep ending up on Display Filters instead.

(09 May '12, 10:43) Perceptus

take a look at the man page of pcap-filter:

(09 May '12, 11:12) Kurt Knochner ♦

Have a look at the docs page on the Wireshark web site:

Display Filters

Capture Filters

(09 May '12, 12:17) grahamb ♦

portrange works with 0.9 and later. :-)

I.e., whether portrange works is a function of the version of libpcap/WinPcap, not a function of the version of Wireshark. Libpcap 0.9 and later have support for it; I'm not sure which version of WinPcap was the first one based on libpcap 0.9.x, but WinPcap 4.0 and later are based on libpcap 0.9.x and later, so WinPcap 4.x should support portrange.

(09 May '12, 14:41) Guy Harris ♦♦

tshark -f '(udp (port 9565 or port 9570 or port 6000)) or (tcp (port 9946 or port 9988 port 42124 or portrange 10000-20000))' -i eth0 -w c:\capture.cap keeps saying

tshark: Capture filters were specified both with "-f" and with additional command-line arguments

What am I missing?

(09 May '12, 16:39) Perceptus

The capture filter is invalid, which might be causing that misleading error message. There should be an or right before port 42124.

tshark '(udp and (port 9565 or port 9570 or port 6000)) or (tcp and (port 9946 or port 9988 or port 42124 or portrange 10000-20000))'

(09 May '12, 16:52) helloworld

It's the stupidity of M$ DOS box. If you use " instead of ', it will work, e.g. tshark -f "(udp ...)".

BTW: eth0 is not a valid interface name on windows. Get the list of interfaces with 'dumpcap -D -M' and then use the interface ID, e.g. tshark -i 2.

(10 May '12, 02:01) Kurt Knochner ♦
showing 5 of 7 show 2 more comments