This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DumpCap: Quotes Within Quotes?

0

It finally dawned on me that DumpCap was the workaround for the memory situation.

But I am having trouble concocting my filter argument.

To wit (you have to scroll all the way to the right to see the offending argument):

C:\BAT>"C:\Program Files\Wireshark\dumpcap.exe" -w \\NAS\Temp\DumpCap.pcap  -i \Device\NPF_{35418EFA-22FB-4ADF-A88C-892918610B9F}  -f "syslog.msg contains \"INVITE sip:\""
    Invalid capture filter: "syslog.msg contains "INVITE sip:""!

That string isn't a valid capture filter (syntax error).
See the User&#39;s Guide for a description of the capture filter syntax.</code></pre><p>Seems like the quotes are resolving as expected, just that DumpCap isn't buying it.</p></div><div id="question-tags" class="tags-container tags"><span class="post-tag tag-link-syntax" rel="tag" title="see questions tagged &#39;syntax&#39;">syntax</span></div><div id="question-controls" class="post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>asked <strong>21 Feb '11, 17:21</strong></p><img src="https://secure.gravatar.com/avatar/8bde5a113e61480e8111dcc2e49409f8?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="PeteCress&#39;s gravatar image" /><p><span>PeteCress</span><br />



16568

accept rate: 0%

edited 21 Feb ‘11, 17:40

One Answer:

2

dumpcap -f requires a capture filter (not a display filter).

See: http://wiki.wireshark.org/CaptureFilters

I don't think it's possible to do a string search with a capture filter;

Maybe you can use a capture filter (by ip address/port or whatever) to limit the traffic captured with dumpcap and then apply the display filter when you read the capture file with wireshark/tshark.

answered 21 Feb '11, 19:20

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Bingo!

Capture Filter: -f "src net 10.0.0.4" Display Filter: syslog.msg contains "INVITE sip:"

Thanks.

(22 Feb '11, 05:46) PeteCress

To put a finer point on it:

:* =======================================================================
:* PURPOSE: To capture network traffic from VOIP adapter and then show
:*          same using WireShark to open the capture file.
:* =======================================================================

@ECHO OFF


ECHO .
ECHO Ctl-C, then reply "N" to stop and view
ECHO .


CD "C:\Program Files\WireShark


SET DumpLoc=\NAS\Temp\DumpCap.pcap


dumpcap.exe -w %DumpLoc%  -i \Device\NPF_{35418EFA-22FB-4ADF-A88C-892918610B9F}  -f "src net 10.0.0.4"


WireShark.exe -r %DumpLoc%  -R "syslog.msg contains &quot;INVITE sip:&quot; and syslog.msg contains &quot;Proxy&quot;"
(22 Feb ‘11, 06:30) PeteCress

Excellent, Thanks very much :)

(19 Feb ‘15, 03:20) Bumpudll3