Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Presumably by "dumpcap" you mean "tshark"; if you try running dumpcap with that command, it will tell you that dumpcap doesn't support the -Y flag (which it doesn't - and which it won't, as that would require that it include the Wireshark dissection library and, because dumpcap may have to run with elevated privileges, including dissection in it would mean that a lot of code would run with elevated privileges, which isn't safe).

Note also that if you are using tshark, "data.txt" won't be a text file, it'll be a pcap or pcapng file; if you want the dissection output from tshark to go to a file, you redirect the standard output to a file.

And, in fact,

tshark -i 1 -f "tcp port 8800" -Y "frame contains FILE" >data.txt

will work.

If you do want the raw packet data in a pcap or pcapng file, and want to use a read filter, you can't do that; you'd have to write unfiltered raw data, and then run tshark again to do the filtering.