THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark - Save to file while filtering with display filter

Hi, When I run tshark with a capture filter, I can see the messages going to and from my machine. I am able to save to a pcap file using the -w and -F options.

But is there a way to do both simultaneously? (view the output using display filter and save to file whatever is captured during my session - preferable filtered)

When I try this, I receive the following error

tshark -Y bacnet -w bvlc.pcap -F pcap
tshark: Display filters aren't supported when capturing and saving the captured packets.

Is there any way I can do this?

Thanks, Ashwin N

Ashwin N's avatar
1
Ashwin N
asked 2020-06-28 20:49:31 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2020-06-29 07:32:27 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

What operating system are you running on?
This works on Ubuntu.

Shell One:

$ tshark -i 1 -w ./bvlc.pcap -F pcap
Capturing on 'eth0'
194

In a second terminal/shell:

$ tail -c +1 -f ./bvlc.pcap | tshark -r - -Y arp
Chuckc's avatar
3k
Chuckc
answered 2020-06-28 22:03:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi, I tried this out, and it does the trick. Great idea, thanks!!

Ashwin N's avatar Ashwin N (2020-06-29 09:50:31 +0000) edit
more
  • delete
add a comment see more comments
0

-Y bacnet is a display filter, not a capture filter.

A capture filter would be specified with -f, such as

tshark -f "tcp port 99" -w bvlc.pcap -F pcap

which does work.

We don't support using a display filter with a live capture; that's what the error message means.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-06-29 07:31:13 +0000, updated 2020-06-29 07:33:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer