Is there way to apply display filter for a cap file and save it as seperate cap file with filtered data only..? eg, 1.I have a cap file with full packets 2.Apply display filter to the first cap and save the filtered packets in to another cap file..! I need this to be done through tshark or some other CLI utility... Thanks in advance.. asked 01 Aug '12, 04:42  ArunDev edited 01 Aug '12, 04:45 |
One Answer:
You can do answered 01 Aug '12, 04:48  Jasper ♦♦ |
Hi.. Thanks for your answer.... But when try to do this i am getting a message as below..!
"tshark: The capture file being read can't be written as a "pcapng" file." command used: tshark -r C:\Users....\Desktop\TDP\new.cap -R "http.referer" -w C:\Users....\Desktop\file2.cap
The first cap file is captured using nmcap(NTMON) and the OS i use is windows 7
Am i doing anything wrong?
Thanks
looks like tshark has some trouble writing your nmcap format as pcap-ng. You can try and see if it works when writing to pcap format, by adding the parameter "-F libpcap" to the other parameters.
I can open the netmon cap file in wirehark and save as pcap or pcapng... and found that the above command works fine.... i need everything needs to be done through cmd....is there any other way i can get the result....Thanks
You could also use editcap to convert the files first if tshark doesn't; maybe it works with that approach. editcap also has the -F parameter which can be used to write a different file format. You could write a script that converts the file first using editcap and then filters it by using tshark.
Thank you.... The Trick worked...! First i converted my nmcap to k12txt and back to pcap...Now tshark can do anything....