The man page for tshark implies -R will work on live captures but my output files are not filtered.
tshark -b filesize:50000 -R '(mgcp||sip||sdp||rtpevent)' -i any -w tshark.cap
tshark is not filtering the dumpcap data at all. I would like to filter the data to limit the size of the pcap files.
CentOS 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
asked 30 Jan '13, 13:56
You need to apply capture filters not display filters. "-R" is used for display filters, so you need to use "-f" instead. Unfortunately, the filter syntax for capture filters is quite different from the syntax of display filters, so you need to adjust it.
answered 30 Jan '13, 14:00
edited 30 Jan '13, 14:04