This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark commandline

0

When following command executed

wireshark -i \DEVICE\NPF_{42C75388-2A3B-4C42-B581-F1E7604B7255} -k -f port 80 -c 10

wireshark:You can't specify both a live capture and a capture file to be read.

Any reason for this message

asked 11 Jun '13, 20:44

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 11 Jun '13, 20:54

One Answer:

2

You need to contain the capture filter in quotes:

wireshark -i \DEVICE\NPF_{42C75388-2A3B-4C42-B581-F1E7604B7255} -k -f "port 80" -c 10

answered 11 Jun '13, 21:02

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Thanks it worked but wireshark -i \DEVICE\NPF_{42C75388-2A3B-4C42-B581-F1E7604B7255} -k -f tcp -c 10 is working with out any quotes.

(11 Jun '13, 21:05) krishnayeddula

That one works without quotes because there is no space in it. If you have spaces, you need quotes to contain it otherwise it thinks "port" is your capture filter and it doesn't know what 80 is.

(11 Jun '13, 21:10) Quadratic
1

Another note, if you run tshark -D you will get a list of the configured adaptors ordered by "index" and that index number can be used in place of the \Device\NPF_{GUID} string, e.g. tshark -i 1 ...

(11 Jun '13, 23:44) grahamb ♦