tshark stopping without capturing any packets with -c <packet count> option

2018-08-09

donniemillan

updated 2018-08-09 06:10:42 +0000

$ tshark -i en0 -I -Y "" -c 1

Capturing on 'Wi-Fi'

10 packets dropped

0 packets captured

Why is this capture stopping before capturing the specified 1 packet?

1 Answer

2018-08-09

cmaynard

The 0 packets captured is a bit misleading.

Since you didn't specify a capture filter, tshark (dumpcap actually) has captured packets; it's just that your display filter isn't displaying any of them because none of the captured packets matched the display filter.

If you want to stop capturing after 1 packet, then you need to specify a suitable capture filter, not a display filter. Refer to the pcap-filter man page for help with capture filters.

It looks like what I want isn't possible.

I want tshark to run until it captures a frame, and then for tshark to stop. Do you know if this is possible?

donniemillan ( 2018-08-10 )

2018-08-09

Seen: 31 times

Last updated: Aug 09