First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark filter issue

Hi, I have a tshark command but it does not work. Basically I use it like that:

TSHARK_FILTER="\"port 18581 or port 5060 or (port 16050 and greater 72)\"" 
tshark -q -n -i any -f $TSHARK_FILTER -b files:100 -b filesize:40000 -w /tmp/test.pcap

I need to use TSHARK_FILTER as variable. When I run the command, I am getting this:

tshark: A capture filter was specified both with "-f" and with additional command-line arguments.

How can I solve this?

merveyil's avatar
1
merveyil
asked 2024-05-23 19:17:17 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2024-05-23 20:18:03 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

More of a bash question than a tshark question, but my guess (did not test it) is that you need to use:

TSHARK_FILTER="port 18581 or port 5060 or (port 16050 and greater 72)"
tshark -q -n -i any -f "$TSHARK_FILTER" -b files:100 -b filesize:40000 -w /tmp/test.pcap

This will put the whole filter between quotes.

SYN-bit's avatar
18.5k
SYN-bit
answered 2024-05-23 19:26:24 +0000
edit flag offensive 0 remove flag delete link
more

Comments

More of a bash question

Or, rather, "more of a shell question"; not all UN*X command-line shells are bash, but most are Bourne-shell-compatible, and the quoting rules are probably similar even in those that aren't (such as tcsh).

Guy Harris's avatar Guy Harris (2024-05-24 06:18:40 +0000) edit
more
  • delete

Thank you @SYN-bit

merveyil's avatar merveyil (2024-05-24 07:11:33 +0000) edit
more
  • delete

Now i am getting other error. I am running tshark with root user and the owner and group of my directory that i save my pcap files is "merve" and permissions are 775.
Could not be opened: No such file or directory.

I dont want to change my permissions like 777 or i dont want to make my owner and group "root" (due to security). Any other suggestions on that one?

merveyil's avatar merveyil (2024-05-24 07:42:50 +0000) edit
more
  • delete

Suggestion: Don't run tshark as root. Run it as a non root user and set dumpcap to have appropriate permissions (either using capabilities, or set uid and only executable by a group to which you belong.) That will limit the time that code is run with privileges.

johnthacker's avatar johnthacker (2024-05-24 11:50:55 +0000) edit
more
  • delete

https://wiki.wireshark.org/CaptureSet...

johnthacker's avatar johnthacker (2024-05-24 11:51:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer