# dumpcap problem with multiple interfaces and filter

I am running Wireshark 64 bit v3.0.2 under Windows Server 2012 R2.

I believe I have run into a bug with dumpcap specifically.

My dumpcap cmd line looks like this:

dumpcap -i 3 -i 9 -f "host 172.20.1.2" -b filesize:50000 -b files:20  -w "D:\captures\172-20-1-2.pcapng"


Interfaces 3 and 9 are SPAN ports from my two Nexus 7000 core switches.

When I run this cmd as is, the filter DOES NOT work. All packets on the wires are captured. If I run this same cmd specifying only one interface (either of them), the filter works properly.

Is this a bug or a limitation of some kind?

If I were to run two separate dumpcap instances (in their own cmd shell), can I merge the two pcapng files later into one, preserving the packet order?

John

edit retag close merge delete

Sort by » oldest newest most voted

Filters after an interface argument only affect the most preceding interface. From the dumpcap man page:

-f <capture filter=""> Set the capture filter expression.

The entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted).

This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.

Try the command line:

dumpcap -f "host 172.20.1.2" -i 3 -i 9 -b filesize:50000 -b files:20 -w "D:\captures\172-20-1-2.pcapng"

more

Thanks very much Graham... your suggestion worked!! Egg on my face. I actually did read the man page but not closely enough I guess. ;)

Thanks again!

( 2019-06-21 16:22:29 +0000 )edit