This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I apply a capture filter to a file?

0

Can I apply a capture filter to a file I've already saved? Whenever I try this with tshark, I get this:

C:\ws_data>tshark -f "ip host 192.168.0.2" -r input_data.pcap -w output_data.pcap
tshark: Only read filters, not capture filters, can be specified when reading a capture file.
I'm using TShark 1.8.12-custom-win64 (SVN Rev 53127 from /trunk-1.8). Is there another tool that will do what I want, or do I need to learn how to write an equivalent read filter for my capture filter?

asked 29 Jan '14, 11:32

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

One Answer:

0

Is there another tool that will do what I want,

tcpdump ;-)

For windows there is a tool called SplitCap, but the filter syntax is neither capture filter nor display filter.

If you prefer a scripted solution, take a look at pcap-util2. It accepts tcpdump capture filters: http://www.badpenguin.co.uk/files/pcap-util2

do I need to learn how to write an equivalent read filter for my capture filter?

sure, you can also use 'display/read' filters, and the change in the syntax shouldn't be too complex, at least not for simple capture filters.

tshark -nr input.pcap -Y "icmp" -w output.pcap
tshark -nr input.pcap -Y "ip.addr eq 192.168.0.2" -w output.pcap

++ UPDATE ++
I totally forgot WinDump. It will work like tcpdump, meaning it accepts capture filters.

windump -nr input.pcap -w output.pcap "icmp"
windump -nr input.pcap -w output.pcap "ip host 192.168.0.2"

Hint: currently it only supports libpcap files, not pcap-ng files! So, if you want to use WinDump for pcap-ng files, you need to convert them first

editcap -F pcap input.pcapng ouput.pcap

Regards
Kurt

answered 29 Jan '14, 12:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Jan '14, 05:13

I think you meant -R in place of -Y, but this is exactly what I really needed. Not sure how many times I missed that in the tshark -h output. And also thank you for pointing out that read filters are the same as display filters; I thought I was going to have to learn a third filter syntax for Wireshark.

(29 Jan '14, 12:19) multipleinte...

I think you meant -R in place of -Y,

I really meant -Y. There was a change regarding -Y and -R in one of the recent releases.

(29 Jan '14, 12:24) Kurt Knochner ♦

BTW: see my update in the answer regarding pcap-util2.

(29 Jan '14, 12:25) Kurt Knochner ♦

Hm, -Y is for display filters, but @multipleinterfaces specifically asked for read filters, so I think it IS in fact "-R".

(29 Jan '14, 23:28) Jasper ♦♦

Afiak, 'read' filters are display filter syntax. See 'tshark -h'.

(29 Jan '14, 23:47) Kurt Knochner ♦

From tshark -h

  -2                       perform a two-pass analysis
  -R <read filter="">         packet Read filter in Wireshark display filter syntax
  -Y <display filter="">      packet displaY filter in Wireshark display filter syntax

From the code in tshark.c.

option -R sets the 'read filter'
option -Y sets the 'display filter'

Now, if I run the following command (1.11.x):

tshark -nr input.pcap -R "ip.addr eq 1.2.3.4"

I get the following message.

tshark: -R without -2 is deprecated. For single-pass filtering use -Y.

So, -Y is single pass and -R -r is two-pass. In that respect, -Y should be called the 'read filter' as it is applied only once during the first/single pass, while the file is being read. And -R should be called the 'display filter', as that's the filter that is applied on both passes, which makes it more like a display filter.

However, in the code it seems to be vice versa (-Y sets the filter for pass two and -R sets the filter for pass one), or maybe I don't understand the code correctly.

Hopefully someone with a better understanding of the code can shed some light on the difference between -Y and -R !?!

(30 Jan '14, 05:32) Kurt Knochner ♦
showing 5 of 6 show 1 more comments