The man page for tshark implies -R will work on live captures but my output files are not filtered. tshark -b filesize:50000 -R '(mgcp||sip||sdp||rtpevent)' -i any -w tshark.cap tshark is not filtering the dumpcap data at all. I would like to filter the data to limit the size of the pcap files. Thanks CentOS 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux asked 30 Jan '13, 13:56  GnuBomb |
2 Answers:
You need to apply capture filters not display filters. "-R" is used for display filters, so you need to use "-f" instead. Unfortunately, the filter syntax for capture filters is quite different from the syntax of display filters, so you need to adjust it. answered 30 Jan '13, 14:00  Jasper ♦♦ edited 30 Jan '13, 14:04 |
There is a bug open which tracks this... deficiency; in fact the bug has been listed in the KnownProblems section of the release notes for each release for many years now. answered 31 Jan '13, 06:40  JeffMorriss ♦ And see comment 22 in the bug that shows how you can filter via a pipe with some restrictions. (31 Jan '13, 07:21) grahamb ♦ |
This is from the man page (it states read filters can be used during live capture):
Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you're using a read filter
Yes, you can use read filters, but they will limit what tshark shows on the screen, not what goes into the file - if you only use read filters, all packets will still be written to file. They will just not be shown while filtering. To limit packets in the file, you need to apply capture filters.
Okay, thanks for the reply.