This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: Display filters aren’t supported when capturing and saving the captured packets.

0

Am new to tshark.I wanto capture some ipp data using wireshark

for that am using following tshark terminal commnd

tshark -i 3 -a duration:20 -Y "ipp contains 02:00:00" -T pdml > gggggg.xml

In the above command am setting a duration of 20 sec after that tshark execution wil stop automaticlly and created an xml file

it is working properly fine

But some situations there is a delay in getting 'ipp' data and after 20 sec tashark caputing will stops .due this am not able to caputure the data.it exits after 20 sec. when i increase the time delay i will get the full data as xml file. Am looking another options like setting the file size and when the file size reaches particular kb stop tshark.for that i changed the tshar command as

tshark -i 3 -Y "ipp contains 02:00:00" -b filesize:100 -b files:1 -l -w some.txt -T pdml > gggggg.xml

am getting the error

tshark: Display filters aren't supported when capturing and saving the captured packets.

How can i crerate an xml file with and when the file size reaches particular Kbs stop the tshark execution.also i need to use filter type as "ipp contains 02:00:00"(it will only outputs ipp packets data as xml)

asked 23 Feb '15, 23:55

kichuz's gravatar image

kichuz
11115
accept rate: 0%

edited 23 Feb '15, 23:58


One Answer:

1

You could try a 2-step approach?

First, capture general traffic of interest using tshark or even dumpcap:

dumpcap -i 3 -f "tcp port 631" -a filesize:100 -n -w gggggg.pcapng

Once dumpcap terminates, have tshark read the exact packets of interest from the capture file and process the packets as you'd like:

tshark -r gggggg.pcapng -Y "ipp contains 02:00:00" -T pdml > gggggg.xml

answered 24 Feb '15, 09:10

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%