This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark capture filter syntax

0

HI,

I am trying to set a capture filter to capture only DHCP packets and also a display filter for the same.

I know we can use -f option with tshark for capture filter and normally DHCP packets come on port 67 or port 68. I apply the same capture filter in wireshark GUI and it captures fine.

But when i try through Command Prompt its gives wrong syntax errors command: tshark -i 2 -f "port 67 or port 68" -R "bootp" -w capture.pcap

please help I am trying for a long time

asked 10 Oct '13, 23:07

Koushik%20Ganesh%20M's gravatar image

Koushik Gane...
11112
accept rate: 0%

2 Answers:

1

What version are you running, on what OS, and what exactly is the error. On the version I have currently (I'm a bit lazy and haven't updated for a while from 1.9.2 development version), I get the following error.

./tshark.exe -n -i 3 -f "port 67 or port 68" -R "bootp" -w capture.pcap tshark: Read filters aren't supported when capturing and saving the captured packets.

This error isn't so much a syntax issue in that you can't use BOTH capture and read (the equivalent of Wireshark display filters) at the same time if you are saving the file.

answered 11 Oct '13, 02:59

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

I am running on windows 7 OS and the wireshark version is - Version 1.2.8 (SVN Rev 32676)

even trying with the normal capture filter syntax which is like: tshark -i 2 -f "port 67 or port 68" -w capture.pcap

does not work !! is the qoutes correctly given. do i need to change anything in the command ?

(25 Oct '13, 18:59) Gourab Majumdar

When you write, "does not work!!", what exactly do you mean? The command fails or you fail to capture DHCP traffic?

Perhaps you could provide answers to:

  • Are you sure you've specified the correct interface number? You can use tshark.exe -D to verify.
  • What is the exact output when you run that command, tshark -i 2 -f "port 67 or port 68" -w capture.pcap?
(26 Oct '13, 11:58) cmaynard ♦♦

0

tshark -i 5 -2 -R "http" -w test.pcap

tshark: Read filters aren't supported when capturing and saving the captured packets.

and

tshark -i 5 -Y "http" -w test.pcap

tshark: Display filters aren't supported when capturing and saving the captured packets.

Are both expected behaviors. This is "Bug 2234" as explained at:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234

You can capture to a file, then use a capture filter with tshark and direct your output to a new file using tshark.

I also just successfully used the following (using v1.10.2)

dumpcap -i 5 -w - | tshark -r - -Y "http" -w file.pcap

answered 26 Oct '13, 09:56

kpalmgren's gravatar image

kpalmgren
1446
accept rate: 0%

edited 26 Oct '13, 10:10