This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

use capture filter or display filter ?

0

i want to do live capture and extract specific fields like ip.src ip.dst , .. then save the result in multiple csv files using ring buffer

i found that if i used this command

tshark -r 111.pcap -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text -e tcp.analysis.duplicate_ack -e tcp.analysis.out_of_order -e tcp.analysis.retransmission -e tcp.analysis.fast_retransmission -e tcp.analysis.spurious_retransmission -e tcp.analysis.zero_window -e tcp.stream -e tcp.srcport -e tcp.dstport -e data.len -E header=y -E separator=, -E quote=d >out.csv

tshark will read from 111.pcap file and save mentioned fields in out.csv file

i want to apply the same but in live capture and save the result in multiple csv files using ring buffer

so i tried to use this command

tshark -i 3 -b files:5 -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text -e tcp.analysis.duplicate_ack -e tcp.analysis.out_of_order -e tcp.analysis.retransmission -e tcp.analysis.fast_retransmission -e tcp.analysis.spurious_retransmission -e tcp.analysis.zero_window -e tcp.stream -e tcp.srcport -e tcp.dstport -e data.len -E header=y -E separator=, -E quote=d >out.csv

it give me (( tshark :multiple capture files requested but the capture isn't being saved to file))

why?

i think it need capture filter but couldn't write one for all these fields ? thank you

asked 18 Jan '15, 11:56

shady's gravatar image

shady
118813
accept rate: 0%

One Answer:

2

The error means you gave a "-b files:5" option to write to 5 capture files in a ring, but didn't give a "-w filename" option to make tshark write the capture file and its file name. Note that the "-b files:5" applies to capture files tshark writes, not to "out.csv" which is where you were saving the output that would have been printed to the screen to a file instead. In other words, when you did ">out.csv", you redirected the screen output to a file named "out.csv"... but tshark knows nothing about that and wasn't doing it - your shell/OS was doing that redirection.

Also, you were not using a "display filter" - you were just telling tshark to print out those specific fields instead of its normal output. It's just that what it was printing to the screen was being redirected to a file by your shell/OS.

> i want to apply the same but in live capture and save the result in multiple csv files using ring buffer

I don't know a way to do that. You could just run tshark to save live to 5 capture files in a ring, and then separately run tshark again for each of those saved files to save the specific fields to a CSV file, as you did before.

answered 18 Jan '15, 14:18

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

thank you very much for explaining

i planning to create batch file to handle these 5 pcap files from live capture to covert them to csv file while live capture is running

any help here

(19 Jan '15, 03:45) shady