This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there an equivalent to tshark -z follow… for use with -w?

0

I would like to output the raw packets for just one thread. E.g. something like:

tshark -r in.cap -z"follow,tcp,hex,1.2.3.4:2000,1.2.3.9:2001" -F pcap -w out.cap

The -z follow... switch does the job in principle but only seems to do text output. Adding -w gives no output. Is there an equivalent filter for -R or -Y?

asked 31 Oct '13, 06:13

wiggers's gravatar image

wiggers
315511
accept rate: 0%

One Answer:

1

Sounds like you want to save one conversation in a new capture file.

If so, please run tshark with the appropriate display filter

tshark -nr input.pcap -Y "ip.addr eq 1.2.3.4 and ip.addr eq 1.2.3.9 and tcp.port eq 2000 and tcp.port eq 2001" -F pcap -w out.pcap

Regards
Kurt

answered 02 Nov '13, 16:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Using .addr and .port is the key, I thought you needed src or dst as well.

(04 Nov '13, 02:25) wiggers

.addr is both directions, so it matches for .src and .dst.

(04 Nov '13, 05:15) Kurt Knochner ♦