This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to filter out specific fields of specific packet types in a live capture?

0

Hi,

I am using tshark and I would like to store 802.11 header traffic in text format of a live capture. That means that I would like to "cut" the data portion of data frames so that it won't be written to my text file but keep everything else (headers of all data, management and control frames).

I figure that since I am mostly interested on the headers this will dramatically reduce the size of my output files. As of now a 10MB pcap gets translated to a 100MB txt file.

Is it possible to do that with some capture filter option or shall I have to settle using a perl script to cut that portion of the output file in a second phase?

Thanks in advance!

asked 31 Aug '13, 05:46

whiteshark's gravatar image

whiteshark
1111
accept rate: 0%


One Answer:

0

I figure that since I am mostly interested on the headers this will dramatically reduce the size of my output files.

The best way is to limit the capture size during the capture phase.

tcpdump -ni eth0 -s 100 .....
dumpcap -ni eth0 -s 100 .....
wireshark -ni eth0 -s 100 ....

If you want to truncate a capture file later, you can use editcap.

editcap -s 100 input.pcap output.pcap

The actual capture size depends on your needs, so maybe you just open the current capture file and count the bytes you need.

Regards
Kurt

answered 31 Aug '13, 14:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%