tshark - Save to file while filtering with display filter

Ashwin N
1 ●1 ●1 ●1

Guy Harris
19905 ●3 ●667 ●207

Hi, When I run tshark with a capture filter, I can see the messages going to and from my machine. I am able to save to a pcap file using the -w and -F options.

But is there a way to do both simultaneously? (view the output using display filter and save to file whatever is captured during my session - preferable filtered)

When I try this, I receive the following error

tshark -Y bacnet -w bvlc.pcap -F pcap
tshark: Display filters aren't supported when capturing and saving the captured packets.

Is there any way I can do this?

Thanks, Ashwin N

add a comment

2 Answers

Sort by » oldest newest most voted

answered Jun 29 '0

Guy Harris
19905 ●3 ●667 ●207

updated Jun 29 '0

-Y bacnet is a display filter, not a capture filter.

A capture filter would be specified with -f, such as

tshark -f "tcp port 99" -w bvlc.pcap -F pcap

which does work.

We don't support using a display filter with a live capture; that's what the error message means.

link

add a comment

answered Jun 28 '0

Chuckc
3048 ●6 ●620 ●20

What operating system are you running on?
This works on Ubuntu.

Shell One:

$ tshark -i 1 -w ./bvlc.pcap -F pcap
Capturing on 'eth0'
194

In a second terminal/shell:

$ tail -c +1 -f ./bvlc.pcap | tshark -r - -Y arp

link

Comments

Hi, I tried this out, and it does the trick. Great idea, thanks!!

Ashwin N ( Jun 29 '0 )

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

tshark - Save to file while filtering with display filter

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

tshark - Save to file while filtering with display filter savecancel

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

tshark - Save to file while filtering with display filter