Re: Display results to window

[Guy Harris <guy () alum mit edu>]

To quote the answer to the previous asking of these questions:

On Nov 1, 2011, at 12:17 PM, Jeffrey Starin wrote:

> Hello All,
>
> Question: when using dumpcap to write to a file, is there a switch for viewing the data on the monitor as it writes 
> to file?

What do you mean by "viewing the data"?  Dumpcap has no switch to dump out the raw contents of the bytes in the packet 
as hex or ASCII, and will *never ever* have a switch to view the packets as dissected - one of the reasons why dumpcap 
*exists* is *not* to have any capability to dissect packets, so that, if a program has to run with special privileges 
in order to capture network traffic, there's a limited amount of code running with those privileges, and thus a limited 
amount of code that has to be considered "safe".  Wireshark and TShark run dumpcap to capture traffic; running 
Wireshark or TShark with any special privileges would be foolish.  (Yes, this means "don't run Wireshark or TShark as 
root.")

If you want to see dissected versions of the packets as they're captured, use TShark with the -S flag.

> And alas, if I only want to capture the ip addresses of the two endpoints to the conversation along with timestamp, 
> what would be the proper filter to use?

What do you mean by "only want to capture the ip addresses of the two endpoints"?  If you mean you only want to capture 
traffic between two particular known-by-IP-address endpoints, you'd want a capture filter of

        host {IP address 1} and {IP address 2}

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe