This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark capture input and output

0

I created a Tshark script, I realized that I am only filtering incoming messages so I can not see anything. Can someone help me?

Tshark.exe -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -i rpcap://[172.16.254.6]/\Device\NPF_{0E94BE7D-D6F0-43B0-B561-5CE3FC9A6AD7} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w "D:\fix\%DATE:~4,2%%DATE:~7,2%%DATE:~10,4%_APP01.pcap"

asked 29 Jun '17, 11:17

JorgeMiguelr210's gravatar image

JorgeMiguelr210
6446
accept rate: 0%

edited 29 Jun '17, 11:19


One Answer:

0

I may be wrong nowadays, but the last time I've tried a couple of months ago, you could capture from just a single input queue. If this is still true, to achieve your goal, you'll have to run two instances of tshark, each capturing from another remote device, and then merge the result files.

answered 29 Jun '17, 12:12

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%