Ask Your Question
0

Can I create a capture filter on a pcap file

asked 2018-02-05 12:23:34 +0000

anonymous user

Anonymous

I have a pcap file. I need to create a captrue filter (not display filter). I tried to define the filter from

Capture -> Capture Filters

and click on it. But nothing change. How to apply a capture filter in a pcap file such that I reduce the file content to include only t he messages I'm interested in.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-02-05 13:52:13 +0000

sindy gravatar image

updated 2018-02-05 15:57:45 +0000

To use a capture filter on an already existing file, you would have to use tcpdump to read from that file an give it the capture filter. So the full command line would be
tcpdump -r original_pcap_file -w new_pcap_file -s 0 capture_filter_expression
However, while it is not possible to write an equivalent of any display filter expression using a capture filter syntax because many protocol fields referred to by display filters are only available after packet dissection, it should be possible to convert any capture filter expression into a display filter expression.

edit flag offensive delete link more

Comments

Thanks. Jsut one more question: the -R "capture_filter_expression" can hold any capture filter expression like any normal capture filter that I enter from the "Capture" -> "Capture Filters" in Wireshark? there are no limitations improsed as long as the filter is correct.

anon gravatar imageanon ( 2018-02-05 15:17:07 +0000 )edit

Correct. The very same mechanism is used like for realtime capture (where you would specify the capture filter using -f).

sindy gravatar imagesindy ( 2018-02-05 15:29:33 +0000 )edit

SORRY for mystification. -R uses display filter syntax, and -f cannot be used when reading from a file.

So to use capture filter on an already captured file, you have to use tcpdump.

sindy gravatar imagesindy ( 2018-02-05 15:56:33 +0000 )edit

With -r or -f ??

anon gravatar imageanon ( 2018-02-05 16:22:56 +0000 )edit

For both tcpdump and tshark, -r indicates the name of the file to be read from instead of capturing on an interface. -f has a different meaning for tcpdump than for tshark; for tcpdump, everything on the command line what has no - in front of it is interpreted as capture filter. See the syntax in the edited answer.

sindy gravatar imagesindy ( 2018-02-05 16:32:06 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-02-05 12:23:34 +0000

Seen: 2,700 times

Last updated: Feb 05 '18