This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Command line capture filter syntax

0

I want to start wireshark from the command line using a capture filter so that when wireshark starts it begins capturing immediately and is only capturing packets that I am interested in. I thought the -f would be the ticket but I am not sure what is going on here? It seems to be thinking that -f is a capture file? Thanks

C:\Program Files\Wireshark>wireshark -i 2 -k -f tcp port==443

C:\Program Files\Wireshark>


wireshark: You can't specify both a live capture and a capture file to be read.

asked 26 Oct ‘11, 08:33

Grunt's gravatar image

Grunt
1111
accept rate: 0%

edited 26 Oct ‘11, 09:57

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

You have a quoting issue and a syntax issue. As the capture filter includes spaces you must quote it, and to filter on tcp port 443, the capture filter would be tcp port 443. Your command line then becomes:

wireshark -i 2 -k -f "tcp port 443"

If you are just capturing for later analysis then you may want to look into dumpcap.

answered 26 Oct '11, 09:56

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%