Hi, Would like to capture packets into a file based on if I find for example a specific address in the Ethernet header. Once I find a packet with say mac.src=XX:XX:XX:XX:XX:XX I don't want the entire packet, just some fields or maybe only the Ethernet + IP headers (don't want to store the entire IP payload). So my capture would look something like: WHILE (criteria is met) IF (mac.srx=XX:XX:XX:XX:XX:XX OR mac.dest=XX:XX:XX:XX:XX:XX) THEN #save first Y octets in raw data OR MAC+IP headers if that option is possible I know this syntax doesn't make sense for a script, but as for the concept, could anyone suggest a capture filter that would do the trick? Thanks! /Sam asked 02 Mar '15, 18:11  SamA |
One Answer:
This can't be done. dumpcap (the process that does the capture for tshark/Wireshark) always writes full packet bytes to file. Also, a capture filter like you want can't work because it would take way too much time to inspect/filter packets before writing them, which would make the capture process so slow that it would lose too many packets for performance reasons. Why don't you just specify a capture filter for the MAC addresses you want, and limit the captured bytes to a certain amount, e.g. 64 bytes? This can be done with dumpcap using the "-f" and "-s" parameters. answered 03 Mar '15, 03:28  Jasper ♦♦ |
dumpcap -i eth0 -s 32 -f "ether host XX:XX:XX:XX:XX:XX" -w dump.pcap