This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Record message with wireshark

0

I want to use wireshark to record the messages. But i don't need all of them. I want to add some rules, for example:

interface: eth1 Network ip: 127.0.0.1 CBTC Base port: 61500 filename: my_record.pcap

Is this possible?

asked 20 Mar '12, 03:11

Alice's gravatar image

Alice
1333
accept rate: 0%


One Answer:

1

Sure. You're talking about capturing network packets while using a capture filter. Wireshark can do it for you, or you use dumpcap directly. In your case you'd need to specify the NIC and add a capture filter like "host a.b.c.d and tcp port 61500", where a.b.c.d is the IP address you want to filter on. By the way, capturing on localhost might give no or funny results, depending on the OS you're on.

answered 20 Mar '12, 03:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

So i can use the commands like this: tshark -a filesize:1024 -w my_record.pcap -f host 127.0.0.1 and tcp port 61500

and i can more than one IP addresse?

Thank you

(20 Mar '12, 04:05) Alice

Yes, you can do -f "host 127.0.0.1 or 192.168.0.1 and tcp port 61500" (as an example). Keep in mind to put the capture filter in quotation marks or the command line will not process the filter like you want it to do.

(I converted your answer to a comment to keep things simple)

(20 Mar '12, 04:37) Jasper ♦♦