I have a huge file in the pcap format from a dumpcap capture. I am wanting to create a second file that only contains packets going to or from a certain range of MAC address. So I tried doing something like this:
But when I do, the resulting file is the same as the input. The filter syntax works fine in wireshark; is there a different filter syntax that I need to use for dumpcap? Does the dumpcap filter not work when reading from stdin?
I'm using Dumpcap 1.2.11 from Ubuntu 10.10
asked 23 Jan '11, 11:26
I think the problem is that -f is a capture filter syntax & you are using a display filter. I think currently Dumpcap only works with capture filters. What about trying tshark with the filter starting -R instead of -f. This will allow you to read it in using the display filter syntax you have:-
tshark -r inputfile.pcap -R 'eth.src[0:3] == 90:21:55 || eth.dst[0:3] == 90:21:55' -w outputfile.pcap
answered 23 Jan '11, 14:32