Hey everyone, i have a little problem with capturing packets and write the raw data to an output file while using display filters. Here an short example: "tshark -i eth5 -R imap -w test.pcap" When watching at the contents with "tshark -r test.pcap" following comes out: `TIME SRC-IP -> DST-IP TCP 56776 > 50143 [ACK] Seq=416 Ack=782 Win=7504 Len=0 TSV=1012820827 TSER=186804250 7504 TIME SRC-IP -> DST-IP TCP 49360 > 143 [ACK] Seq=101 Ack=919 Win=32762 Len=0 TSV=840349364 TSER=1012820794 32762 TIME SRC-IP -> DST-IP IMAP Response: 4 OK STORE complete 6432 TIME SRC-IP -> DST-IP IMAP Response: * BYE session timeout 6432` As you can see, the display filter is not applied. When opening it with "tshark -r test.pcap R imap" output is like: ` TIME SRC-IP -> DST-IP IMAP Response: 4 OK STORE complete 6432 TIME SRC-IP -> DST-IP IMAP Response: * BYE session timeout 6432 ` Exectly that is, what should be written to the file, nothing more, only the parts with the decoded IMAP stack. Can anyone explain me what I did wrong and how to solve that issue? Thank in advance Sascha asked 05 Oct '10, 08:04  Sascha |
3 Answers:
Which version are you using? There is a known bug relating to using "-R" with captures in version 1.4.0. "Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)" To see the "Known Bugs" list, read the news.txt file in the Wireshark program files directory. Suggestion: You can capture the packets to a file first (use your -w test.pcap) and then use the -r test.pcap -R testfiltered.pcap method however. Not as graceful, but "doable." answered 05 Oct '10, 09:33  lchappell ♦ |
From the release notes: Filtering tshark captures with display filters (-R) no longer works. (Bug 2234) In short, while capturing with tshark and writing to disk, display filters will not work. This needs to be fixed, but is rather difficult to fix. answered 05 Oct '10, 09:30  SYN-bit ♦♦ We must be in sync today, Sake! <g> (05 Oct '10, 09:34) lchappell ♦ |
tshark Read filters aren't supported when capturing and saving the captured packets. answered 16 Jun '12, 00:52  DavidMeng |
Definitely in sync :-)
Owe u an email - been loopy on drugs for a back problem - touch base with you later today!
Thanks for your hints to the known bug list, dont know why i didnt look there before, maybe because its still mentioned in the man page.
As this bug seems to be still persistent in actual version, I compiled and now use the latest versions where writing to disk with display filters was known to work correctly (0.99.6), because data amount is too high to do any post-processing for all captures. For all other work (viewing, analysing, writing to disk only with capture filters) an up to date version is used.
Again, thanks for your help.