This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What capture filter can I use to capture only TCP and UDP traffic in tshark commandline interface?

0

HTTP uses port 80. I found this on the internet and used -f "tcp port 80" as the capture filter for capturing only HTTP traffic:

tshark -i Ethernet -f "tcp port 80"

But since I am a newbie, searching for port used by TCP and that used by UDP has confused me, since they both appear to have so so many ports.

So what capture filter do I use to capture only TCP and UDP traffic.

Thank you in advance.

asked 15 Aug '16, 00:55

Jesss's gravatar image

Jesss
51141720
accept rate: 0%

One Answer:

1

The manual with examples is here. For your case, it would be -f "tcp or udp". Check the difference between "capture filter" and "display filter" as each of them has a different syntax and purpose (while the difference in purpose is clearly visible in Wireshark but much less clearly in tshark).

answered 15 Aug '16, 01:01

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

-f "tcp or udp" is a display filter, not a capture filter. I need a capture filter.

(15 Aug '16, 02:10) Jesss

I checked the manual. What I learnt from it is that for a capture filter based on protocol, I need to know the port number the protocol uses.

(15 Aug '16, 02:14) Jesss
1

-f specifies a capture filter, -Y specifies a display filter. tcp or udp is a legal syntax in both. tcp is an abbreviation of proto tcp in capture filter syntax.

There are several protocol layers. UDP and TCP are transport protocols above IP so they are identified by a field in the IP header. HTTP or Telnet are application protocols using TCP as transport, and there the distinction based on TCP port number makes sense.

(15 Aug '16, 02:17) sindy