Wireshark mailing list archives
how to apply a capture filter and save captured packets to an output file using tshark
From: "Sreenivasulu Yellamaraju" <Sreenivasulu.Yellamaraju () csr com>
Date: Wed, 29 Dec 2010 18:12:59 +0530
Hi, I am trying to use tshark wit the following purpose : Run it for a duration of overnight(12 hours), capture only management packets to/or from a known WLAN AP during those 12 hours and save the output to a PCAP format file. This is my sniffer setup: WireShark version 1.2.9 (SVN Rev 33171) winpcap 4.1.1, libpcap 1.0 Tshark version 1.2.9(SVN Rev 33171) Adapter : AirPCapNx from CACE technologies Trial 1 ------ The obvious solution is capture every packet in the air,save them and process later : tshark -i wlan0 -w output.cap tshark -i output.cap -R "display filter" -w output-processed.cap [this works only if above step works and output.pcap is generated after 12 hours] But as I am running tshark for 12 hours and as there are hundreds of thousands of packets in air, the file output.cap becomes either too large of tshark itself is dying within 12 hours. Next,I have tried the following over a duration of 1 minute to see if it works : tshark -i wlan0 -R "display filter" -w output-processed.cap Although output-processed.cap is generated, it contains each and every packet in air and there is no effect of display filter. Is there any switch to tshark that I am missing? Trial 2 ------- Next, I have tried to apply capture filter in WireShark's GUI. I have tried some sample capture filters but none of them are accepted by the capture dialog box. type mgt subtype assocreq or subtype assocresp Is there anything I am missing while entering these capture filters in Wireshark GUI ? Regards, Sreenivasulu Y Lead Engineer Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how to apply a capture filter and save captured packets to an output file using tshark Sreenivasulu Yellamaraju (Dec 29)
- Re: how to apply a capture filter and save captured packets to an output file using tshark Sake Blok (Dec 29)
- Re: how to apply a capture filter and savecaptured packets to an output file using tshark Sreenivasulu Yellamaraju (Dec 29)
- Re: how to apply a capture filter and save captured packets to an output file using tshark Sake Blok (Dec 29)