Ask Your Question
0

tshark - Save to file while filtering with display filter

asked 2020-06-28 20:49:31 +0000

Ashwin N gravatar image

updated 2020-06-29 07:32:27 +0000

Guy Harris gravatar image

Hi, When I run tshark with a capture filter, I can see the messages going to and from my machine. I am able to save to a pcap file using the -w and -F options.

But is there a way to do both simultaneously? (view the output using display filter and save to file whatever is captured during my session - preferable filtered)

When I try this, I receive the following error

tshark -Y bacnet -w bvlc.pcap -F pcap
tshark: Display filters aren't supported when capturing and saving the captured packets.

Is there any way I can do this?

Thanks, Ashwin N

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-06-29 07:31:13 +0000

Guy Harris gravatar image

updated 2020-06-29 07:33:21 +0000

-Y bacnet is a display filter, not a capture filter.

A capture filter would be specified with -f, such as

tshark -f "tcp port 99" -w bvlc.pcap -F pcap

which does work.

We don't support using a display filter with a live capture; that's what the error message means.

edit flag offensive delete link more
add a comment
0

answered 2020-06-28 22:03:22 +0000

Chuckc gravatar image

What operating system are you running on?
This works on Ubuntu.

Shell One:

$ tshark -i 1 -w ./bvlc.pcap -F pcap
Capturing on 'eth0'
194

In a second terminal/shell:

$ tail -c +1 -f ./bvlc.pcap | tshark -r - -Y arp
edit flag offensive delete link more

Comments

Hi, I tried this out, and it does the trick. Great idea, thanks!!

Ashwin N gravatar imageAshwin N ( 2020-06-29 09:50:31 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-06-28 20:49:31 +0000

Seen: 3,883 times

Last updated: Jun 29 '20

Related questions

Resolve frame subtype and export to csv

Capture from only one Port in wireshark and tshark

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

can I install only tshark?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2