HI, I am trying to set a capture filter to capture only DHCP packets and also a display filter for the same. I know we can use -f option with tshark for capture filter and normally DHCP packets come on port 67 or port 68. I apply the same capture filter in wireshark GUI and it captures fine. But when i try through Command Prompt its gives wrong syntax errors command: tshark -i 2 -f "port 67 or port 68" -R "bootp" -w capture.pcap please help I am trying for a long time |
What version are you running, on what OS, and what exactly is the error. On the version I have currently (I'm a bit lazy and haven't updated for a while from 1.9.2 development version), I get the following error. ./tshark.exe -n -i 3 -f "port 67 or port 68" -R "bootp" -w capture.pcap tshark: Read filters aren't supported when capturing and saving the captured packets. This error isn't so much a syntax issue in that you can't use BOTH capture and read (the equivalent of Wireshark display filters) at the same time if you are saving the file. I am running on windows 7 OS and the wireshark version is - Version 1.2.8 (SVN Rev 32676) even trying with the normal capture filter syntax which is like: tshark -i 2 -f "port 67 or port 68" -w capture.pcap does not work !! is the qoutes correctly given. do i need to change anything in the command ?
(25 Oct '13, 18:59)
Gourab Majumdar
When you write, "does not work!!", what exactly do you mean? The command fails or you fail to capture DHCP traffic? Perhaps you could provide answers to:
(26 Oct '13, 11:58)
cmaynard ♦♦
|
tshark -i 5 -2 -R "http" -w test.pcap tshark: Read filters aren't supported when capturing and saving the captured packets. and tshark -i 5 -Y "http" -w test.pcap tshark: Display filters aren't supported when capturing and saving the captured packets. Are both expected behaviors. This is "Bug 2234" as explained at: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234 You can capture to a file, then use a capture filter with tshark and direct your output to a new file using tshark. I also just successfully used the following (using v1.10.2) dumpcap -i 5 -w - | tshark -r - -Y "http" -w file.pcap |