Hi all , I am looking for a command that i can use to filter a particular IP . For example I just want to get info about 10.82.23.343 and store in file hello.cap , how will I go about doing that from command line [linux] ? FYI I have used the commands tshark -i 2 -p -w hello.cap to capture and it works but I want to know how do i filter on a particular IP address asked 25 Jul '12, 08:22  helloworld0722 showing 5 of 6 show 1 more comments |
One Answer:
Please try this.
host x.x.x.x will filter only traffic from and to that IP address. Please read the wiki for a more complete list of capture filters:
Regards answered 25 Jul '12, 08:31  Kurt Knochner ♦ edited 25 Jul '12, 14:13 thanks it works !! (25 Jul '12, 08:43) helloworld0722 |
Kurt I also wanted to know if the capture/filter can be done on multiple files for example tshark -i 2 -p -w hello.cap hello2.cap host 10.82.23.343 is this possible ??? or is there a way to merge capture into two files ?
You can specify the option -w serveral times, but only the last one will be used (just tested).
Why do you want to write the file two times? You can just copy it after you're done with capturing? Can you please add some more information?
BTW: The IP Address 10.82.23.343 is not going to work, unless you have your own special IP stack ;-)
I have serveral .cap files for which I use mergecap to combine into one file , my question is that can i use mergecap and tshark together and apply filter so that the result file only contains the filtered IP ?
You can do that with tshark, after you merged the files.
HINT: -R requires Display Filters!
yes I got that to work , but what if I want to filter out multiple IPs ?
just specify them: