Ask Your Question
0

Tshark filter issue

asked 2024-05-23 19:17:17 +0000

merveyil gravatar image

updated 2024-05-23 20:18:03 +0000

cmaynard gravatar image

Hi, I have a tshark command but it does not work. Basically I use it like that:

TSHARK_FILTER="\"port 18581 or port 5060 or (port 16050 and greater 72)\"" 
tshark -q -n -i any -f $TSHARK_FILTER -b files:100 -b filesize:40000 -w /tmp/test.pcap

I need to use TSHARK_FILTER as variable. When I run the command, I am getting this:

tshark: A capture filter was specified both with "-f" and with additional command-line arguments.

How can I solve this?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-05-23 19:26:24 +0000

SYN-bit gravatar image

More of a bash question than a tshark question, but my guess (did not test it) is that you need to use:

TSHARK_FILTER="port 18581 or port 5060 or (port 16050 and greater 72)"
tshark -q -n -i any -f "$TSHARK_FILTER" -b files:100 -b filesize:40000 -w /tmp/test.pcap

This will put the whole filter between quotes.

edit flag offensive delete link more

Comments

More of a bash question

Or, rather, "more of a shell question"; not all UN*X command-line shells are bash, but most are Bourne-shell-compatible, and the quoting rules are probably similar even in those that aren't (such as tcsh).

Guy Harris gravatar imageGuy Harris ( 2024-05-24 06:18:40 +0000 )edit

Thank you @SYN-bit

merveyil gravatar imagemerveyil ( 2024-05-24 07:11:33 +0000 )edit

Now i am getting other error. I am running tshark with root user and the owner and group of my directory that i save my pcap files is "merve" and permissions are 775.
Could not be opened: No such file or directory.

I dont want to change my permissions like 777 or i dont want to make my owner and group "root" (due to security). Any other suggestions on that one?

merveyil gravatar imagemerveyil ( 2024-05-24 07:42:50 +0000 )edit

Suggestion: Don't run tshark as root. Run it as a non root user and set dumpcap to have appropriate permissions (either using capabilities, or set uid and only executable by a group to which you belong.) That will limit the time that code is run with privileges.

johnthacker gravatar imagejohnthacker ( 2024-05-24 11:50:55 +0000 )edit

https://wiki.wireshark.org/CaptureSet...

johnthacker gravatar imagejohnthacker ( 2024-05-24 11:51:43 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-05-23 19:17:17 +0000

Seen: 61 times

Last updated: May 24

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark