I want to capture a data stream coming from a pipe and save it to a file (by -w) but with an applied filter (portnumber).
-R doesn't work because "tshark: -R without -2 is deprecated"
-R -2 doesn't work because "Live captures do not support two-pass analysis."
-Y doesn't work because "tshark: Display filters aren't supported when capturing and saving the captured packets."
so, how can I do ??
greetings, f.
Oh, right, sorry, I missed that you were capturing from a pipe. <sigh> I read too quickly these days... (Thanks Chris.)
The issue with capture filters is capture filters are normally implemented in the kernel; Wireshark/tshark doesn't have to deal with it. When reading from a pipe BPF isn't involved so something in userspace (libpcap?) would have to re-implement the filtering.
And, as bug 2234 describes, display filtering happens in a separate process than the one doing the capturing and writing the file.
So, no, there isn't a good solution. You'll probably have to post-process the files to do the filtering (painful, I know).
Hmm, can I now downvote my old (bogus) answer? I'll find out...
Apparently I can't downvote my own answer. Oh well...
The kernel vs. userland isn't what matters here for capture filters.
When doing a live capture from a device, the capture is done using libpcap (libpcap is part of WinPcap and Npcap, so that even applies on Windows). Libpcap will have the filtering done in the kernel if possible, otherwise it'll do it in userland; that's transparent to the program doing the capture (tcpdump, dumpcap, etc.).
With a live capture, the link-layer type - which is required in order to compile a capture filter into BPF pseudo-machine code - is known as soon as the device is opened, so the program doing the capture can immediately compile the filter, getting and reporting an error if it's invalid, and setting the filter to the result of the compilation if it's valid.
When capturing on a pipe, however, that doesn't go through libpcap; it goes through dumpcap code ...
Apparently I can't downvote my own answer
I've downvoted it for you.
You can't apply display filters while capturing. However you can apply capture filters. If by "port" you mean a L4 (TCP/UDP/SCTP) port then you could use a capture filter (e.g., tshark -f "tcp port 443" [...])
Hi Jeff,
thanks for fast answer. I tried
... pipe | tshark -i - -f "port sip" -w dump.pcap
and also
... pipe | tshark -i - -f "port 5060" -w dump.pcap
and
... pipe | tshark -i - -f "udp port 5060" -w dump.pcap
but always the whole traffic is in the dump.pcap, not only that on port 5060
what's wrong in my command line?
greetings,
f.
For reference, see also the following bugs:
so Bug 1814 means there is no solution for my problem?
The most powerfull toolset for network analysing in the world is not able to catch a stream from a pipe, filter it and save it to a file? Very strange :-(
f.
"The most powerfull toolset for network analysing in the world is" composed of several parts, added at different times, which don't always fit together cleanly; sometimes "powerful" programs are powerful because they've had a lot of capabilities added, not all of which fit together smoothly.
Comments