This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filters applied to saved capture files

0

Very comfortable with Wireshark and understand filters, etc... It seems that a lot of people ask this question and the answers always involve saving a massive .pcap file and doing some post processing on it to isolate only what's needed. Trouble is I need to run Wireshark for many hours and capture activity only to a specific port. I set the filter to isolate the port activity in the display window but can't watch the screen for 8 hours.

The basic question is how can I simply write only the filtered result to a file. What I see in the display need to be saved in a file for later review.

Thanks

asked 15 Dec '15, 06:36

King%20Of%20Crab's gravatar image

King Of Crab
5112
accept rate: 0%

2 Answers:

0

The simple answer is "use File -> Export specified packets" while a display filter is applied, assuming that capture(-time) filter is not narrow enough for your purpose and you needed to apply display(-time) filter to choose by protocol fields which the capture filter cannot access.

Or you may want to use command-line tshark instead of the GUI Wireshark and use -Y or -R to specify "display filter" during capture and -w to write the result (see further details and syntax here).

A hint which I haven't found at the wiki: if you need to specify more complex display filter conditions, use "" to delimit the condition, and use \" where you need to use " as part of the filter.

Example: -Y "usb.iso.status == 0 and usb.src == \"3.6.2\""

answered 15 Dec '15, 07:21

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thanks sindy. I ran tshark with a few filter options and got what's needed on the screen output but didn't have the same filter option for writing to a file. Just redirected stdio to a file did the trick. Yay for me. Thanks again

(15 Dec '15, 08:12) King Of Crab

0

Trouble is I need to run Wireshark for many hours and capture activity only to a specific port.

If all you want is activity to a specific TCP or UDP port, and will never have any interest in anything else (as in "you won't, after reading the traffic, realize that you really need to see something other than traffic to that port"), you can use a capture filter such as tcp dst port XXX or udp dst port XXX; with a capture filter such as that, the only packets written to the file will be packets to the port in question.

If you want packets both to and from that port, remove the dst from those filters.

Capture filters are handled by a much simpler engine (in the libpcap/WinPcap library and in the OS kernel), won't handle arbitrary forms of tunneling/encapsulation of IP traffic, and require extra care if you're using VLANs (the filter expression in question won't handle VLAN traffic; you'd need something like

tcp dst port XXX or (vlan and tcp dst port XXX)

(with dst removed if you want traffic to and from the port).

answered 15 Dec '15, 19:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%