Hello, In short: tshark dst port 80 -Y http.request -T fields -e http.host -e http.user_agent > http_dumpfile & tshark dst portrange 21-22 -Y "ftp.request.command == LIST || ftp.request.command == PASV" -T fields -e ftp.request.command -e ftp.request.arg > ftp_dumpfile & tshark "dst port 143 or dst port 220" -Y imap.isrequest==1 -T fields -e imap.request.command > imap_dumpfile & vs one long: tshark "dst port 80 or dst port 110 or dst port 220 or dst portrange 21-22" -Y "ftp.request.command == LIST || ftp.request.command == PASV || http.request || imap.isrequest==1" > capture_dumpfile -----Longer version: Writing some program in python that uses tshark to capture and analyze some traffic. Using specific capture filters in a combination of display filters to minimize the output as much as possible. Now I have to decide if I'll use several instances of tshark with different capture filters and display filters VS Running unified more complex capture filter and then analyze the traffic programmatically? Very important note is that Display Filters ease by work significantly. asked 04 Sep '15, 05:56  Do5 |
One Answer:
besides the fact that the sum of the short tshark commands is different than the long tshark command, you can choose whatever method you like better or which causes less work in your script that parses the output. I don't see a direct advantage/disadvantage of having three short tshark commands versus on large. Regards answered 07 Sep '15, 16:40  Kurt Knochner ♦ |
