hello everyone im trying to capture just a TCP files with TSHARK. tshark -g -s 65535 -b duration:43200 -a files:1 -i eth0 –I eth1 -w /home/pi/DATA/info im using this right now and want to add a filter asked 08 Oct '17, 17:53  jcgarcia007 |
One Answer:
You can add capture filter to tshark with '-f pcap-filter-expr' (s. also https://wiki.wireshark.org/CaptureFilters). To filter only tcp packets, use '-f tcp' answered 09 Oct '17, 00:57  Uli |
Are there any rules for using quotes in that case? Tried to add '-f tcp' to the line above in the question, and it didn't work for me.. Errors are:
'tshark: A capture filter was specified both with "-f" and with additional command-line arguments.'
or 'Illegal token'
I haven't read the syntax of the inital question right:
The '-I' flag is for running in monitor mode. 'eth1' is interpreted as a capture filter.
Therefore when using '-f tcp' and having 'eth1' there are two capturing filters.
@jcgarcia007: What's the purpose of 'eth1' in your command?
thanks, this filter work perfectly
Presumably what was intended was
I.e., lower-case "i" rather than capital "I", meaning that there are two
-iflags, one specifyingeth0and one specifyingeth1, so that TShark will capture on botheth0andeth1.