wireshark capture filter syntax

HI,

I am trying to set a capture filter to capture only DHCP packets and also a display filter for the same.

I know we can use -f option with tshark for capture filter and normally DHCP packets come on port 67 or port 68. I apply the same capture filter in wireshark GUI and it captures fine.

But when i try through Command Prompt its gives wrong syntax errors command: tshark -i 2 -f "port 67 or port 68" -R "bootp" -w capture.pcap

please help I am trying for a long time

capture capture-filter

asked 10 Oct '13, 23:07

Koushik Gane...
11●1●1●2
accept rate: 0%

2 Answers:

active answers oldest answers newest answers popular answers

What version are you running, on what OS, and what exactly is the error. On the version I have currently (I'm a bit lazy and haven't updated for a while from 1.9.2 development version), I get the following error.

./tshark.exe -n -i 3 -f "port 67 or port 68" -R "bootp" -w capture.pcap tshark: Read filters aren't supported when capturing and saving the captured packets.

This error isn't so much a syntax issue in that you can't use BOTH capture and read (the equivalent of Wireshark display filters) at the same time if you are saving the file.

permanent link

answered 11 Oct '13, 02:59

martyvis
891●1●5●25
accept rate: 7%

I am running on windows 7 OS and the wireshark version is - Version 1.2.8 (SVN Rev 32676)

even trying with the normal capture filter syntax which is like: tshark -i 2 -f "port 67 or port 68" -w capture.pcap

does not work !! is the qoutes correctly given. do i need to change anything in the command ?

(25 Oct '13, 18:59) Gourab Majumdar

When you write, "does not work!!", what exactly do you mean? The command fails or you fail to capture DHCP traffic?

Perhaps you could provide answers to:

Are you sure you've specified the correct interface number? You can use tshark.exe -D to verify.
What is the exact output when you run that command, tshark -i 2 -f "port 67 or port 68" -w capture.pcap?

(26 Oct '13, 11:58) cmaynard ♦♦

tshark -i 5 -2 -R "http" -w test.pcap

tshark: Read filters aren't supported when capturing and saving the captured packets.

and

tshark -i 5 -Y "http" -w test.pcap

tshark: Display filters aren't supported when capturing and saving the captured packets.

Are both expected behaviors. This is "Bug 2234" as explained at:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234

You can capture to a file, then use a capture filter with tshark and direct your output to a new file using tshark.

I also just successfully used the following (using v1.10.2)

dumpcap -i 5 -w - | tshark -r - -Y "http" -w file.pcap

permanent link

answered 26 Oct '13, 09:56

kpalmgren
1●4●4●6
accept rate: 0%

edited 26 Oct '13, 10:10

Your answer

toggle preview

community wiki:

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Question tags:

capture ×549
capture-filter ×184

question asked: 10 Oct '13, 23:07

question was seen: 7,843 times

last updated: 26 Oct '13, 11:59

wireshark capture filter syntax

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions