Wireshark mailing list archives
Re: Allowing display filters during capture
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Fri, 13 Mar 2015 10:22:14 -0400
On 03/12/15 14:37, Avaneesh Kadam wrote:
Can we remove following tshark check?
==
main()
{
if (global_capture_opts.saving_to_file) {
if (dfilter != NULL) {
cmdarg_err("Display filters aren't supported when capturing and
saving the captured packets.);
*return 1; //remove this check to allow DF while capturing.*
*}*
}
}
==
I was looking following command to work:
==
tshark -Y "udp.port==137" -f udp -x -w udp_all.pcap
==
Eg. Above command will capture and save all UDP packets and display only
the ones with port as 137.
By removing above check I could get this to work, although I have not
done thorough testing yet.
That will work for your purpose. The reason the check is there, however, is that most people seem to expect that applying the display filter would affect what messages are sent to the output file (udp_all.pcap). (They may have that expectation because that's what would have happened in much older versions of Wireshark/Ethereal--before the existence of dumpcap.)
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Allowing display filters during capture Avaneesh Kadam (Mar 12)
- Re: Allowing display filters during capture Jeff Morriss (Mar 13)
- Re: Allowing display filters during capture Guy Harris (Mar 13)
- Re: Allowing display filters during capture Sake Blok (Mar 14)
- Re: Allowing display filters during capture Guy Harris (Mar 13)
- Re: Allowing display filters during capture Jeff Morriss (Mar 13)