How to apply display filter for a cap file and save it as seperate cap file with filtered data only by using Tshark..?

0

Is there way to apply display filter for a cap file and save it as seperate cap file with filtered data only..? eg, 1.I have a cap file with full packets 2.Apply display filter to the first cap and save the filtered packets in to another cap file..!

I need this to be done through tshark or some other CLI utility...

Thanks in advance..

asked 01 Aug '12, 04:42

ArunDev's gravatar image

ArunDev
6336
accept rate: 0%

edited 01 Aug '12, 04:45

One Answer:
oldestnewestmost voted
2

You can do tshark -r file1.cap -R "displayfilter" -w file2.cap, which reads file1, applies the filter specified after "-R" and writes it back to file2.cap.

link

answered 01 Aug '12, 04:48

Jasper's gravatar image

Jasper ♦
10.2k328146
accept rate: 15%

Hi.. Thanks for your answer.... But when try to do this i am getting a message as below..!
"tshark: The capture file being read can't be written as a "pcapng" file." command used: tshark -r C:\Users....\Desktop\TDP\new.cap -R "http.referer" -w C:\Users....\Desktop\file2.cap

The first cap file is captured using nmcap(NTMON) and the OS i use is windows 7

Am i doing anything wrong?

Thanks

(01 Aug '12, 05:09) ArunDev

looks like tshark has some trouble writing your nmcap format as pcap-ng. You can try and see if it works when writing to pcap format, by adding the parameter "-F libpcap" to the other parameters.

(01 Aug '12, 05:52) Jasper ♦

I can open the netmon cap file in wirehark and save as pcap or pcapng... and found that the above command works fine.... i need everything needs to be done through cmd....is there any other way i can get the result....Thanks

(01 Aug '12, 06:16) ArunDev
1

You could also use editcap to convert the files first if tshark doesn't; maybe it works with that approach. editcap also has the -F parameter which can be used to write a different file format. You could write a script that converts the file first using editcap and then filters it by using tshark.

(01 Aug '12, 08:20) Jasper ♦

Thank you.... The Trick worked...! First i converted my nmcap to k12txt and back to pcap...Now tshark can do anything....

(01 Aug '12, 21:41) ArunDev
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×247
×51
×26

Asked: 01 Aug '12, 04:42

Seen: 1,129 times

Last updated: 01 Aug '12, 21:41

Related questions

Using a variable as a Display Filter

TShark: Capture and Display Filters for HTTP/HTTPS

how to get only the headers of a packet

TShark: Display Filter and Statistics

how to retrieve packet information using wireshark commands

tshark display filter in windows command-line seems not support special characters

tshark output and ldap.response_in

tshark display filter not working while writing pakets to an outfile

When writing to file with tshark using display filter, not all TCP segments are saved.

tshark: Read filters were specified both with "-R" and with additional command-line arguments

about | faq | privacy | support | contact

powered by OSQA