This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark command just to capture TCP, no ARP, DHCP, etc just TCP

0

hello everyone im trying to capture just a TCP files with TSHARK.

tshark -g -s 65535 -b duration:43200 -a files:1 -i eth0 –I eth1 -w /home/pi/DATA/info

im using this right now and want to add a filter

asked 08 Oct '17, 17:53

jcgarcia007's gravatar image

jcgarcia007
11113
accept rate: 0%


One Answer:

0

You can add capture filter to tshark with '-f pcap-filter-expr' (s. also https://wiki.wireshark.org/CaptureFilters).

To filter only tcp packets, use '-f tcp'

answered 09 Oct '17, 00:57

Uli's gravatar image

Uli
9031515
accept rate: 29%

Are there any rules for using quotes in that case? Tried to add '-f tcp' to the line above in the question, and it didn't work for me.. Errors are:

'tshark: A capture filter was specified both with "-f" and with additional command-line arguments.'

or 'Illegal token'

(09 Oct '17, 01:59) Packet_vlad
1

I haven't read the syntax of the inital question right:

The '-I' flag is for running in monitor mode. 'eth1' is interpreted as a capture filter.

Therefore when using '-f tcp' and having 'eth1' there are two capturing filters.

@jcgarcia007: What's the purpose of 'eth1' in your command?

(09 Oct '17, 02:57) Uli

thanks, this filter work perfectly

(09 Oct '17, 14:42) jcgarcia007

Presumably what was intended was

tshark -g -s 65535 -b duration:43200 -a files:1 -i eth0 –i eth1 -w /home/pi/DATA/info

I.e., lower-case "i" rather than capital "I", meaning that there are two -i flags, one specifying eth0 and one specifying eth1, so that TShark will capture on both eth0 and eth1.

(10 Oct '17, 00:33) Guy Harris ♦♦