This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use capture filter on tshark when reading a file

0

I need to filter a big pcap, I can use display filter, but it's typically slower than capture filter. However I got the following message:

tshark -r tmp1.pcap -f "tcp port 80"
tshark: Only read filters, not capture filters, can be specified when reading a capture file.

When how can I use capture filter for tshark to read from a file.

asked 29 Apr '15, 12:35

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

1

Using a capture filter while reading is not an option in tshark. You could use tcpdump or windump to do that for you:

tcpdump -r infile.pcap -w outfile.pcap "tcp port 80"

or

windump -r infile.pcap -w outfile.pcap "tcp port 80"

This will work quicker than tshark and has less memory consumption, so you can process larger files.

answered 29 Apr '15, 13:05

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks @SYN-bit. If I do tcpdump -r infile.pcap "tcp port 80" to output things to screen (so I can pipe it to another program to process), it's incredibly slow: 6MB pcap infile.pcap will take minutes. Not sure why.

(29 Apr '15, 21:40) pktUser1001

Have you tried to use option "-n" do disable name resolution? Normally DNS lookups slow things down.

(29 Apr '15, 22:58) Uli

With newer versions of tshark you might try

tcpdump -r infile.pcap -w - "tcp port 80" | tshark -r -

That might have the same problem, though, as TShark would also try DNS lookups, but might do them differently. You could pass tshark the -n flag to get it not to do DNS lookups in that case.

(29 Apr '15, 23:40) Guy Harris ♦♦