OSQA is unmaintained. Help us figure out where to go from here.

hello everyone im trying to capture just a TCP files with TSHARK.

tshark -g -s 65535 -b duration:43200 -a files:1 -i eth0 –I eth1 -w /home/pi/DATA/info

im using this right now and want to add a filter

asked 08 Oct, 17:53

jcgarcia007's gravatar image

accept rate: 0%

You can add capture filter to tshark with '-f pcap-filter-expr' (s. also https://wiki.wireshark.org/CaptureFilters).

To filter only tcp packets, use '-f tcp'

permanent link

answered 09 Oct, 00:57

Uli's gravatar image

accept rate: 30%

Are there any rules for using quotes in that case? Tried to add '-f tcp' to the line above in the question, and it didn't work for me.. Errors are:

'tshark: A capture filter was specified both with "-f" and with additional command-line arguments.'

or 'Illegal token'

(09 Oct, 01:59) Packet_vlad

I haven't read the syntax of the inital question right:

The '-I' flag is for running in monitor mode. 'eth1' is interpreted as a capture filter.

Therefore when using '-f tcp' and having 'eth1' there are two capturing filters.

@jcgarcia007: What's the purpose of 'eth1' in your command?

(09 Oct, 02:57) Uli

thanks, this filter work perfectly

(09 Oct, 14:42) jcgarcia007

Presumably what was intended was

tshark -g -s 65535 -b duration:43200 -a files:1 -i eth0 –i eth1 -w /home/pi/DATA/info

I.e., lower-case "i" rather than capital "I", meaning that there are two -i flags, one specifying eth0 and one specifying eth1, so that TShark will capture on both eth0 and eth1.

(10 Oct, 00:33) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 08 Oct, 17:53

question was seen: 100 times

last updated: 10 Oct, 00:33

p​o​w​e​r​e​d by O​S​Q​A