 | 1 | initial version |
To use a capture filter on an already existing file, you would have to use tshark to read from that file an give it the capture filter expression as a value of the -R parameter. So the full command line would be
tshark -r original_pcap_file -R "capture_filter_expression" -w new_pcap_file
However, while it is not possible to write an equivalent of any display filter expression using a capture filter syntax because many protocol fields referred to by display filters are only available after packet dissection, it should be possible to convert any capture filter expression into a display filter expression.
| | 2 | No.2 Revision |
To use a capture filter on an already existing file, you would have to use tshark tcpdump to read from that file an give it the capture filter expression as a value of the filter. So the full command line would be -R parameter.
tshark tcpdump -r original_pcap_file -R "capture_filter_expression" -w new_pcap_filenew_pcap_file -s 0 capture_filter_expression
However, while it is not possible to write an equivalent of any display filter expression using a capture filter syntax because many protocol fields referred to by display filters are only available after packet dissection, it should be possible to convert any capture filter expression into a display filter expression.
