This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcpdump -R not filtering live captures

0

The man page for tshark implies -R will work on live captures but my output files are not filtered.

tshark -b filesize:50000 -R '(mgcp||sip||sdp||rtpevent)' -i any -w tshark.cap

tshark is not filtering the dumpcap data at all. I would like to filter the data to limit the size of the pcap files.

Thanks

CentOS 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

asked 30 Jan '13, 13:56

GnuBomb's gravatar image

GnuBomb
11113
accept rate: 0%


2 Answers:

3

You need to apply capture filters not display filters. "-R" is used for display filters, so you need to use "-f" instead. Unfortunately, the filter syntax for capture filters is quite different from the syntax of display filters, so you need to adjust it.

answered 30 Jan '13, 14:00

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 30 Jan '13, 14:04

This is from the man page (it states read filters can be used during live capture):

Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you're using a read filter

(30 Jan '13, 14:14) GnuBomb

Yes, you can use read filters, but they will limit what tshark shows on the screen, not what goes into the file - if you only use read filters, all packets will still be written to file. They will just not be shown while filtering. To limit packets in the file, you need to apply capture filters.

(30 Jan '13, 14:21) Jasper ♦♦

Okay, thanks for the reply.

(30 Jan '13, 14:33) GnuBomb

1

There is a bug open which tracks this... deficiency; in fact the bug has been listed in the KnownProblems section of the release notes for each release for many years now.

answered 31 Jan '13, 06:40

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

And see comment 22 in the bug that shows how you can filter via a pipe with some restrictions.

(31 Jan '13, 07:21) grahamb ♦