This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Changing Display Filter to Capture Filter

0

In a previous question, I received some excellent explanation for a display filter. Now, I would like to use that filter with tshark. When I use the current one with tshark, I get a message that says it's a valid display filter but not a valid capture filter. What are the differences?

The display filter suggested was

udp.port==9565 or udp.port==9570 or udp.port==6000 or tcp.port==9946 or tcp.port==9988 or tcp.port==42124 or (tcp.port>=10000 and tcp.port<=20000)

asked 08 May '12, 21:54

Perceptus's gravatar image

Perceptus
10226
accept rate: 0%

edited 09 May '12, 00:31

helloworld's gravatar image

helloworld
3.1k42041


One Answer:

2

As answer in the other question.

The syntax of display filters is totally different from the syntax of capture filters.

You can use this capture filter.

(udp and (port 9565 or port 9570 or port 6000)) or (tcp and (port 9946 or port 9988 port 42124 or portrange 10000-20000))

portrange works at least with 1.6.2. (just tested). If it does not work with an earlier versions (not checked), please upgrade.

Regards
Kurt

answered 08 May '12, 22:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 May '12, 00:32

Do you have a link for where I can find out this information? Your answer is exactly what I was looking for. I tried to search the online documentation for the information you gave but I keep ending up on Display Filters instead.

(09 May '12, 10:43) Perceptus

take a look at the man page of pcap-filter:

http://www.manpagez.com/man/7/pcap-filter/

(09 May '12, 11:12) Kurt Knochner ♦

Have a look at the docs page on the Wireshark web site:

Display Filters

Capture Filters

(09 May '12, 12:17) grahamb ♦

portrange works with 0.9 and later. :-)

I.e., whether portrange works is a function of the version of libpcap/WinPcap, not a function of the version of Wireshark. Libpcap 0.9 and later have support for it; I'm not sure which version of WinPcap was the first one based on libpcap 0.9.x, but WinPcap 4.0 and later are based on libpcap 0.9.x and later, so WinPcap 4.x should support portrange.

(09 May '12, 14:41) Guy Harris ♦♦

tshark -f '(udp (port 9565 or port 9570 or port 6000)) or (tcp (port 9946 or port 9988 port 42124 or portrange 10000-20000))' -i eth0 -w c:\capture.cap keeps saying

tshark: Capture filters were specified both with "-f" and with additional command-line arguments

What am I missing?

(09 May '12, 16:39) Perceptus

The capture filter is invalid, which might be causing that misleading error message. There should be an or right before port 42124.

tshark '(udp and (port 9565 or port 9570 or port 6000)) or (tcp and (port 9946 or port 9988 or port 42124 or portrange 10000-20000))'

(09 May '12, 16:52) helloworld
1

It's the stupidity of M$ DOS box. If you use " instead of ', it will work, e.g. tshark -f "(udp ...)".

BTW: eth0 is not a valid interface name on windows. Get the list of interfaces with 'dumpcap -D -M' and then use the interface ID, e.g. tshark -i 2.

(10 May '12, 02:01) Kurt Knochner ♦
showing 5 of 7 show 2 more comments