Re: Display dumpcap in real time

[Martin Visser <martinvisser99 () gmail com>]

Chip,

Filter on dumpcap (-f), are capture filters, which restrict what is being
captured to file. Display filters (-R on tshark) restrict what is being
display, but don't effect what is captured.

You can use tshark, but just set it to say stop after ten minutes (using
say -a duration:600), to limit how much context and hence memory tshark
consumes.  You then just need a script wrapper to loop starting new
instances of tshark, like so:-

while [ 1 ]; do tshark -i eth1 -a duration:600 -T fields -e frame.time -e
ip.src -e ip.dst; done


Regards, Martin

MartinVisser99 () gmail com


On 2 November 2011 07:14, Chip <jeffschips () gmail com> wrote:

> On 11/1/2011 4:07 PM, Martin Visser wrote:
>
> > -T fields -e frame.time -e ip.src -e ip.dst
> Thank Martin.
>
> I need to use dumpcap because it has a smaller memory footprint.  So if
> dumpcap cannot display to screen -- I guess I will have to live with that
> for now -- what are the filters to only display http and https traffic when
> using dumpcap -- I cannot find any reference to the filtering techniques
> when using dumpcap.  Or is that intentional -- it just dumps everything.
>
> Thanks.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe