This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“Export specified packets” in tshark.

1

In wireshark there is an option "Export specified packets". How can I do this in thsark? Is there a command that can export/save filtred packets in a new .pcap file?

asked 03 Sep '14, 01:42

anhtuan's gravatar image

anhtuan
31236
accept rate: 0%

One Answer:

2

There are tshark commands that can, given a filter in the "display filter" syntax", read a capture file and write out to another file the packets matched by the filter, such as

tshark -Y {filter} -r {input file} -w {output file}

and

tshark -2 -R {filter} -r {input file} -w {output file}

The second example is more like "Export specified packets" with {filter} as the display filter and with "All packets" and "Displayed" selected, although it's slower as it has to read the file twice.

You can also use editcap if you want to select the packets using ranges of packet numbers rather than a filter.

answered 03 Sep '14, 22:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks! This solved my problem.

(04 Sep '14, 00:59) anhtuan