This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing the packets of two (not all) interfaces // tshark

0

Hello!

tshark -D
1. eth0
2. eth2
3. eth3
4. any (Pseudo-device that captures on all interfaces)
5. lo

Capturing the packets of eth2 and eth3 only is needed with the aid tshark. How I can make it?

asked 30 Jul '13, 21:31

factorial's gravatar image

factorial
26448
accept rate: 0%

edited 31 Jul '13, 01:20

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

2

Install Wireshark 1.8 or later if Wireshark isn't installed or if an earlier version of Wireshark is installed, and then do

tshark -i eth2 -i eth3 {other tshark command-line arguments}

If you want to specify a capture filter for all interfaces, specify -f {filter} before all the -i arguments. If you want to specify a capture filter or filters for some but not all interfaces, specify -f {filter} after the -i argument for the interface on which the capture filter {filter} should be used.

NOTE: "Install Wireshark 1.8 or later if Wireshark isn't installed or if an earlier version of Wireshark is installed" is an important step; multiple -i arguments, and capturing on multiple interfaces at once, is NOT supported in Wireshark 1.6.x or earlier.

answered 31 Jul '13, 01:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks! I tried twice -i:

  tshark -v 
  TShark 1.2.11
  tshark -i eth2 -i eth3 -w test.pcap
  Running as user "root" and group "root". This could be dangerous.
  Capturing on eth3...
  ...

The capturing implemented just interface eth3.

(31 Jul '13, 01:44) factorial

I converted your "answer" to a "comment", please see the FAQ.

Guy's disclaimer:

NOTE: "Install Wireshark 1.8 or later if Wireshark isn't installed or if an earlier version of Wireshark is installed" is an important step; multiple -i arguments, and capturing on multiple interfaces at once, is NOT supported in Wireshark 1.6.x or earlier.

Your version:

TShark 1.2.11

Please upgrade your Wireshark installation (Tshark is part of Wireshark and uses the same version numbering)

(31 Jul '13, 01:49) SYN-bit ♦♦

Ok! Thanks once more!

(31 Jul '13, 01:54) factorial