Wireshark save output file name Date

Question

I am creating an automatic routine to save pcap file. I'm having trouble saving the file with the date. Can someone help me?

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF4
6-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\
APP01%date:~4,2%%date:~7,2%%date%~10,4%.pcap
tshark: A capture filter was specified both with "-f" and with additional comman
d-line arguments.

Answer 1

Those date commands appear to generate a file name with spaces in it. In that case you're going to need to quote the file name so that it's passed to tshark as a single argument (rather than 2 or more). For example:

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w "C:\APP01%date:~4,2%%date:~7,2%%date%~10,4%.pcap"

At least that's what would be necessary on Unix/Linux (which I'm far more familiar with...).

Answer 2

You have a 1-character typo, namely the percent (%) after the last date should be a colon (:), i.e. you need to change this:

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\APP01%date:~4,2%%date:~7,2%%date%~10,4%.pcap

to this:

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\APP01%date:~4,2%%date:~7,2%%date:~10,4%.pcap