I am trying to set a capture filter to capture only DHCP packets and also a display filter for the same.
I know we can use -f option with tshark for capture filter and normally DHCP packets come on port 67 or port 68. I apply the same capture filter in wireshark GUI and it captures fine.
But when i try through Command Prompt its gives wrong syntax errors command: tshark -i 2 -f "port 67 or port 68" -R "bootp" -w capture.pcap
please help I am trying for a long time
asked 10 Oct '13, 23:07
What version are you running, on what OS, and what exactly is the error. On the version I have currently (I'm a bit lazy and haven't updated for a while from 1.9.2 development version), I get the following error.
./tshark.exe -n -i 3 -f "port 67 or port 68" -R "bootp" -w capture.pcap tshark: Read filters aren't supported when capturing and saving the captured packets.
This error isn't so much a syntax issue in that you can't use BOTH capture and read (the equivalent of Wireshark display filters) at the same time if you are saving the file.
answered 11 Oct '13, 02:59
tshark -i 5 -2 -R "http" -w test.pcap
tshark: Read filters aren't supported when capturing and saving the captured packets.
tshark -i 5 -Y "http" -w test.pcap
tshark: Display filters aren't supported when capturing and saving the captured packets.
Are both expected behaviors. This is "Bug 2234" as explained at:
You can capture to a file, then use a capture filter with tshark and direct your output to a new file using tshark.
I also just successfully used the following (using v1.10.2)
dumpcap -i 5 -w - | tshark -r - -Y "http" -w file.pcap
answered 26 Oct '13, 09:56
edited 26 Oct '13, 10:10