This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark save output file name Date

0

I am creating an automatic routine to save pcap file. I'm having trouble saving the file with the date. Can someone help me?

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF4
6-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\
APP01%date:~4,2%%date:~7,2%%date%~10,4%.pcap
tshark: A capture filter was specified both with "-f" and with additional comman
d-line arguments.

asked 26 Jun '17, 18:09

JorgeMiguelr210's gravatar image

JorgeMiguelr210
6446
accept rate: 0%


2 Answers:

0

Those date commands appear to generate a file name with spaces in it. In that case you're going to need to quote the file name so that it's passed to tshark as a single argument (rather than 2 or more). For example:

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w "C:\APP01%date:~4,2%%date:~7,2%%date%~10,4%.pcap"

At least that's what would be necessary on Unix/Linux (which I'm far more familiar with...).

answered 27 Jun '17, 06:44

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

0

You have a 1-character typo, namely the percent (%) after the last date should be a colon (:), i.e. you need to change this:

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\APP01%date:~4,2%%date:~7,2%%date%~10,4%.pcap

to this:

C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\APP01%date:~4,2%%date:~7,2%%date:~10,4%.pcap

answered 27 Jun '17, 20:49

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%