This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how can I save matched packet to file when using wireshark command line?

0

When I run "Wireshark.exe -R "tcp.options.mss_val == 1460" -w mms1460.cap -r tcp.cap", wireshark is opened and all packets whose mss=1460 is displayed, but I can not find where is "mss1460.cap",why? Thanks a lot

asked 09 Nov '16, 00:41

w44524's gravatar image

w44524
11226
accept rate: 0%

leaving aside that the command line says mms1460.cap and you then look for mss1460.cap, I'd assume that you should run tshark instead of Wireshark to get the output file written. The explanation of -w in Wireshark manual suggests that it indicates where to save the captured data, so maybe it is not taken into account if you don't actually capture.

(09 Nov '16, 02:13) sindy

One Answer:

1

As Sindy is saying, you better use tshark, the tool intended for that purpose. The command in tshark is quite similar. You only need to change the -R for the filter to -Y

tshark.exe -Y "tcp.options.mss_val == 1460" -w mms1460.cap -r tcp.cap

In the Wireshark manual I see that -w is to "set the name of the file to be used to save captured packets" so I'm guessing if that switch is only intended for capturing traffic and writing the output and not when you;re reading the trace.

Hope this helps

Osito

answered 09 Nov '16, 03:17

osito's gravatar image

osito
0336
accept rate: 50%