When I run "Wireshark.exe -R "tcp.options.mss_val == 1460" -w mms1460.cap -r tcp.cap", wireshark is opened and all packets whose mss=1460 is displayed, but I can not find where is "mss1460.cap",why? Thanks a lot asked 09 Nov '16, 00:41  w44524 |
One Answer:
As Sindy is saying, you better use tshark, the tool intended for that purpose. The command in tshark is quite similar. You only need to change the -R for the filter to -Y tshark.exe -Y "tcp.options.mss_val == 1460" -w mms1460.cap -r tcp.cap In the Wireshark manual I see that -w is to "set the name of the file to be used to save captured packets" so I'm guessing if that switch is only intended for capturing traffic and writing the output and not when you;re reading the trace. Hope this helps Osito answered 09 Nov '16, 03:17  osito |
leaving aside that the command line says mms1460.cap and you then look for mss1460.cap, I'd assume that you should run tshark instead of Wireshark to get the output file written. The explanation of -w in Wireshark manual suggests that it indicates where to save the captured data, so maybe it is not taken into account if you don't actually capture.