Revision history [back]

Hello,

When using tshark it creates temporary files. When it is used for long time, it will create huge files, therefore it is a good idea to limit the size and number of files.

From reading in the internet, when starting tshark, it will automatically use dumpcap.

Now, I'd like to use pyshark to capture the data and import it to python for further analysis. pyshark uses 2 tools (dumpcap and tshark) as follows:

dumpcap -q -i 5 -w -
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

the outfile, format of text output, ring buffer parameters could be changed with the existing interface of pyshark.

However, If I'd like to use display filter (with -Y) or capture filter (-f) I'm getting Multiple capture files requested, but a capture isn't being done which is tshark`s message

What change do you suggest to do so that live capture could be used with capture filter and/or display filter?

Hello,

When using tshark it creates temporary files. When it is used for long time, it will create huge files, therefore it is a good idea to limit the size and number of files.

From reading in the internet, when starting tshark, it will automatically use dumpcap.

Now, I'd like to use pyshark to capture the data and import it to python for further analysis. pyshark uses 2 tools (dumpcap and tshark) as follows:

dumpcap -q -i 5 -w -
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

the outfile, format of text output, ring buffer parameters could be changed with the existing interface of pyshark.

However, If I'd like to use display filter (with -Y) or capture filter (-f) I'm getting Multiple capture files requested, but a capture isn't being done which is tshark`s message

What change do you suggest to do so that live capture could be used with capture filter and/or display filter?

dumpcap -q -f length ==162 -i 2 -w - 
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

Hello,

When using tshark it creates temporary files. When it is used for long time, it will create huge files, therefore it is a good idea to limit the size and number of files.

From reading in the internet, when starting tshark, it will automatically use dumpcap.

Now, I'd like to use pyshark to capture the data and import it to python for further analysis. pyshark uses 2 tools (dumpcap and tshark) as follows:

dumpcap -q -i 5 -w -
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

the outfile, format of text output, ring buffer parameters could be changed with the existing interface of pyshark.

However, If I'd like to use display filter (with -Y) or capture filter (-f) I'm getting Multiple capture files requested, but a capture isn't being done which is tshark`s message

What change do you suggest to do so that live capture could be used with capture filter and/or display filter?

EDIT: OK. EDIT:

I've tested the proposed change below:

dumpcap -q -f length ==162 -i 2 -w - 
tshark -l -n -T pdml -r - -b filesize:1024 -b files:1 -w /tmp/pyshark.cap -P

and still receiving Multiple capture files requested, but a capture isn't being done

What I'm doing wrong?