I want to use wireshark to record the messages. But i don't need all of them. I want to add some rules, for example: interface: eth1 Network ip: 127.0.0.1 CBTC Base port: 61500 filename: my_record.pcap Is this possible? asked 20 Mar '12, 03:11  Alice |
One Answer:
Sure. You're talking about capturing network packets while using a capture filter. Wireshark can do it for you, or you use dumpcap directly. In your case you'd need to specify the NIC and add a capture filter like "host a.b.c.d and tcp port 61500", where a.b.c.d is the IP address you want to filter on. By the way, capturing on localhost might give no or funny results, depending on the OS you're on. answered 20 Mar '12, 03:56  Jasper ♦♦ |
So i can use the commands like this: tshark -a filesize:1024 -w my_record.pcap -f host 127.0.0.1 and tcp port 61500
and i can more than one IP addresse?
Thank you
Yes, you can do -f "host 127.0.0.1 or 192.168.0.1 and tcp port 61500" (as an example). Keep in mind to put the capture filter in quotation marks or the command line will not process the filter like you want it to do.
(I converted your answer to a comment to keep things simple)