This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture on all interfaces in tshark

0

Capture on all interfaces in tshark without mentioning interface id's please help on this

asked 26 Mar '14, 05:43

shreeshail's gravatar image

shreeshail
6113
accept rate: 0%


One Answer:

1

on Linux, Unix, *BSD you can use

tshark -ni any

on Windows, any does not work, so you'll have to specify the interface ID or number

tshark -ni 1 -ni 2 -ni 3 (this will work on Linux, Unix, *BSD as well)

You can get the interface number with

dumpcap -D -M

Regards
Kurt

answered 26 Mar '14, 08:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Mar '14, 08:47

Just for completeness, the n flag has nothing to do with the interface specification, it disables name resolution.

I have no idea what the M flag does but I don't require it on Windows to get the interface id numbers. Note the id number to use with the -i flag is the digit at the start, you no longer need to use the long guid name.

(26 Mar '14, 08:57) grahamb ♦

, it disables name resolution.

sure. Just an old habit of mine. I always use -ni, as I type it without thinking ;-)

I have no idea what the M flag does

it prints "machine-readable" output, according to the man page, but the more interesting part: It prints the IP address, which helps to identify the right interface.

(26 Mar '14, 09:06) Kurt Knochner ♦

Duh, I was looking at tshark with the -D, not dumpcap. For whatever reason tshark doesn't have that flag, maybe it should.

(26 Mar '14, 10:07) grahamb ♦

maybe it should.

I believe I suggested it here some time ago (maybe 1-2 years), but I never opened an enhancement request nor did I feel a strong temptation to change the code myself ;-)

(26 Mar '14, 10:40) Kurt Knochner ♦

Thanks Kurt Knochner

Is this possible to get 'interface id' given the 'interface ip address' since I will get ip address as user input. Or is there any way i can provide directly ip address of interface to tshark as argument in place of interface id..?

(26 Mar '14, 23:18) shreeshail

No that's not possible. You'll have to parse the output of dumpcap -D -M and search for the IP address to get the interface number.

(27 Mar '14, 11:45) Kurt Knochner ♦
showing 5 of 6 show 1 more comments