Ask Your Question
0

dumpcap problem with multiple interfaces and filter

asked 2019-06-21 15:51:59 +0000

JohnBoy gravatar image

updated 2019-06-21 16:02:06 +0000

I am running Wireshark 64 bit v3.0.2 under Windows Server 2012 R2.

I believe I have run into a bug with dumpcap specifically.

My dumpcap cmd line looks like this:

dumpcap -i 3 -i 9 -f "host 172.20.1.2" -b filesize:50000 -b files:20  -w "D:\captures\172-20-1-2.pcapng"

Interfaces 3 and 9 are SPAN ports from my two Nexus 7000 core switches.

When I run this cmd as is, the filter DOES NOT work. All packets on the wires are captured. If I run this same cmd specifying only one interface (either of them), the filter works properly.

Is this a bug or a limitation of some kind?

If I were to run two separate dumpcap instances (in their own cmd shell), can I merge the two pcapng files later into one, preserving the packet order?

Thanks in advance.

John

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-06-21 16:14:33 +0000

grahamb gravatar image

updated 2019-06-21 16:15:22 +0000

Filters after an interface argument only affect the most preceding interface. From the dumpcap man page:

-f <capture filter=""> Set the capture filter expression.

The entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted).

This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.

Try the command line:

dumpcap -f "host 172.20.1.2" -i 3 -i 9 -b filesize:50000 -b files:20 -w "D:\captures\172-20-1-2.pcapng"
edit flag offensive delete link more

Comments

Thanks very much Graham... your suggestion worked!! Egg on my face. I actually did read the man page but not closely enough I guess. ;)

Thanks again!

JohnBoy gravatar imageJohnBoy ( 2019-06-21 16:22:29 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-06-21 15:51:59 +0000

Seen: 1,140 times

Last updated: Jun 21 '19

Related questions

Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

No user interfaces come up when I load up Wireshark

why am i not see my interfaces?

Wireshark Not Responding

How do I change the interface on Tshark?

Changing Interface Name via Editcap

why am i not able to see my interfaces in wireshark except USBPcaps 1,2,3? I am using windows 10 64 bit

How can I resolve the issue of not being able to see my computer interfaces?

How to kill dumpcap.exe - not able to kill it with taskkill running as admin

How can we dump pcap file data onto CAN bus

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2