It finally dawned on me that DumpCap was the workaround for the memory situation. But I am having trouble concocting my filter argument. To wit (you have to scroll all the way to the right to see the offending argument):
edited 21 Feb ‘11, 17:40 |
One Answer:
dumpcap -f requires a capture filter (not a display filter). See: http://wiki.wireshark.org/CaptureFilters I don't think it's possible to do a string search with a capture filter; Maybe you can use a capture filter (by ip address/port or whatever) to limit the traffic captured with dumpcap and then apply the display filter when you read the capture file with wireshark/tshark. answered 21 Feb '11, 19:20 Bill Meier ♦♦ |
Bingo!
Capture Filter: -f "src net 10.0.0.4" Display Filter: syslog.msg contains "INVITE sip:"
Thanks.
To put a finer point on it:
Excellent, Thanks very much :)