This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: write packets matching a filter

0

Greetings.

On a production system, I'm using "dumpcap -i any -b ..." to capture all network traffic on the machine and write it to a rotating set of files, so I have a set of files containing all of the network traffic for the previous few hours.

I need to know how to read one or more of these files, filter out specific types of traffic (based on client IP address), and write the matching packets to a new pcap file which contains only the matching packets.

The closest I have so far is this:

mergecap -w- live*.pcap | tshark -i- -R 'ip.addr==1.2.3.4' -w 1.2.3.4.pcap

What I have found is that, without the "-w" option, the output (lines of text describing each packet) contains only the selected packets. However, with the "-w" option, the output contains every packet from the input, whether it matches the filter or not.

How can I get just the packets which match a specific filter?

asked 02 Oct '12, 12:47

jms1's gravatar image

jms1
16113
accept rate: 100%


One Answer:

1

The problem is the CentOS 6 "base" yum repository, which is hideously out of date. It contains wireshark version 1.0.15.

I just tried it with wireshark 1.8.3, and the following command line works:

mergecap -a -F libpcap -w- live*.pcap | tshark -r- -R 'ip.addr==1.2.3.4' -w 1.2.3.4.pcap

Note that I also tried it with 1.8.2 on a laptop where wireshark had been installed previously, the same command fails with this error message:

tshark: The file "-" could not be opened: Illegal seek.

answered 02 Oct '12, 20:06

jms1's gravatar image

jms1
16113
accept rate: 100%

The code used by Wireshark and TShark to read capture files tries to determine the file type by having code for all the file types it understands read some of the file and indicate whether it's of that type or not. This involves each of those code modules rewinding the file and reading from it; pipes do not support seeks, so it might fail.

1.8.0 and later allow seeking within buffered data read into memory, so it might work in some cases (cases where not too much data was read); what does "tshark -v" print on the machine where you got "Illegal seek"?

(03 Oct '12, 01:20) Guy Harris ♦♦