 | 1 | initial version |
When reading a file using tshark -r, you can use a display filter to limit the output. Just like in Wireshark. For example, to show only UDP:
tshark -r file.pcap -Y udp
And only UDP except DNS:
tshark -r file.pcap -Y "udp and not dns"
See wireshark-filter page for more options.
The output of tshark can also controlled by command line options. See the manual page https://www.wireshark.org/docs/man-pages/tshark.html .
Or watch a video about tshark (command line options), for example https://youtu.be/1TxAq1xIj1M?t=1401 (from the SharkFest channel).
To filter when capturing, use a capture filter, see https://www.wireshark.org/docs/man-pages/tshark.html (udp to capture only UDP).