First time here? Check out the FAQ!

Ask Your Question
0

Tshark filter issue
 
  
 
  
 
 
 
 
 
 
    
        
        asked May 23 '4  
 
 merveyil gravatar image  
 
 
 
 
    
        
        updated May 23 '4  
 
 cmaynard gravatar image  
 
 
 
 
 
Hi, I have a tshark command but it does not work.  Basically I use it like that:
 
TSHARK_FILTER="\"port 18581 or port 5060 or (port 16050 and greater 72)\"" 
tshark -q -n -i any -f $TSHARK_FILTER -b files:100 -b filesize:40000 -w /tmp/test.pcap
 
I need to use TSHARK_FILTER as variable.  When I run the command, I am getting this:
 
tshark: A capture filter was specified both with "-f" and with additional command-line arguments.
 
How can I solve this?
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered May 23 '4  
 
 SYN-bit gravatar image  
 
 
 
 
 
More of a bash question than a tshark question, but my guess (did not test it) is that you need to use:
 
TSHARK_FILTER="port 18581 or port 5060 or (port 16050 and greater 72)"
tshark -q -n -i any -f "$TSHARK_FILTER" -b files:100 -b filesize:40000 -w /tmp/test.pcap
 
This will put the whole filter between quotes.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
More of a bash question
Or, rather, "more of a shell question"; not all UN*X command-line shells are bash, but most are Bourne-shell-compatible, and the quoting rules are probably similar even in those that aren't (such as tcsh).
Guy Harris gravatar imageGuy Harris (
    
        May 24 '4
    )
Thank you @SYN-bit
merveyil gravatar imagemerveyil (
    
        May 24 '4
    )
Now i am getting other error. I am running tshark with root user and the owner and group of my directory that i save my pcap files is "merve" and permissions are 775. 

Could not be opened: No such file or directory. 
I dont want to change my permissions like 777 or i dont want to make my owner and group "root" (due to security). Any other suggestions on that one?
merveyil gravatar imagemerveyil (
    
        May 24 '4
    )
Suggestion: Don't run tshark as root. Run it as a non root user and set dumpcap to have appropriate permissions (either using capabilities, or set uid and only executable by a group to which you belong.) That will limit the time that code is run with privileges.
johnthacker gravatar imagejohnthacker (
    
        May 24 '4
    )
https://wiki.wireshark.org/CaptureSet...
johnthacker gravatar imagejohnthacker (
    
        May 24 '4
    )

            
                see more comments
            
        
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 
 
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  May 23 '4  
 
 
        Seen: 224 times 
 

        Last updated: May 24 '24 
 
 
 
Related questions
 
 
 Deduplication in tshark -T ek [closed] 
 
 filtering out protocol, sequence number, and ack  using tshark 
 
 Using tshark filters to extract only interesting traffic from 12GB trace 
 
 Any way to use cmd tshark for a gns3 wire? 
 
 authority RRs tshark 
 
 can I install only tshark? 
 
 How do I change the interface on Tshark? 
 
 Tshark TCP stream assembly 
 
 Tshark output file problem, saving to csv or txt 
 
 How to convert Pcapng file to pcap file by Tshark