This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Tshark filter protocol FIX

0

Can someone help me? I can not save file.

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF4
6-79FF-4A97-802A-F6CEF5896D29} -Y fix -w C:\ts.pcap
tshark: Display filters aren't supported when capturing and saving the captured
packets.

asked 26 Jun '17, 11:37

JorgeMiguelr210's gravatar image

JorgeMiguelr210
6446
accept rate: 0%


One Answer:

0

You need to use "-f" instead of "-Y", because during capture you can only use capture filters (in BPF syntax). Which probably means that you cannot filter on "fix" that way, because that is a display filter...

answered 26 Jun '17, 11:40

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you for your help. I did some testing here I can filter as icmp. I wanted to filter only the fix messages

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f fix Capturing on 'rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5 896D29}' tshark: Invalid capture filter "fix" for interface 'rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29}'.

That string looks like a valid display filter; however, it isn't a valid capture filter (syntax error).

(26 Jun '17, 11:50) JorgeMiguelr210
1

As I indicated in my answer to your question over at Stack Overflow, you can probably use a capture filter of -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58". That filter was supplied by Kurt Knochner in his answer to this question.

(26 Jun '17, 12:00) cmaynard ♦♦

This question is about filter FIX traffic. If you have another question, don't keep adding more comments or "answers" to this one. I have deleted all content unrelated to filtering of FIX traffic.

Also, if an answer has resolved your question, then you should mark it as accepted. Please read the FAQ.

(28 Jun '17, 11:45) cmaynard ♦♦