 | 1 | initial version |
You can have multiple capture filters on the tshark command line but not in a row. Last one in wins.
(if using multiple -f options they are meant to be sprinkled around the interface options)
-f <capture filter=""> ... This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.
The second gotcha is filtering ipv6: BPF Byte filter for VLAN-IPv6-UDP stack
From pcap-filter.7:
Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future).
You can try a mix of capture filter with display filter:
$ tshark -i 5 -f "(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0)" -Y ipv6
