Wireshark mailing list archives

how to apply a capture filter and save captured packets to an output file using tshark

From: "Sreenivasulu Yellamaraju" <Sreenivasulu.Yellamaraju () csr com>
Date: Wed, 29 Dec 2010 18:12:59 +0530

Hi,

 

I am trying to use tshark wit the following purpose :

Run it for a duration of overnight(12 hours), capture only management
packets to/or from a known WLAN AP during those 12 hours and save the
output to a PCAP format file.

 

This is my sniffer setup:

 

WireShark  version 1.2.9 (SVN Rev 33171) 

 winpcap 4.1.1, libpcap 1.0            

Tshark version 1.2.9(SVN Rev 33171)

Adapter : AirPCapNx from CACE technologies

 

Trial 1

------

The obvious solution is capture every packet in the air,save them and
process later :

tshark -i wlan0 -w output.cap 

tshark -i output.cap -R "display filter" -w output-processed.cap [this
works only if above step works and output.pcap is generated after 12
hours]

 

But as I am running tshark for 12 hours and as there are hundreds of
thousands of packets in air, the file output.cap becomes either too
large of tshark itself is dying within 12 hours.

 

Next,I have tried the following  over a duration of 1 minute to see if
it works :

tshark -i wlan0 -R "display filter" -w output-processed.cap

 

Although output-processed.cap is generated, it contains each and every
packet in air and there is no effect of display filter.

 

Is there any switch to tshark that I am missing?

 

Trial 2

-------

Next, I have tried to apply capture filter in WireShark's GUI.

 

I have tried some sample capture filters but none of them are accepted
by the capture dialog box.

type mgt

subtype assocreq or subtype assocresp

 

Is there anything I am missing while entering these capture filters in
Wireshark GUI ?

 

 

Regards,

Sreenivasulu Y

Lead Engineer

 



Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, 
registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

how to apply a capture filter and save captured packets to an output file using tshark Sreenivasulu Yellamaraju (Dec 29)
- Re: how to apply a capture filter and save captured packets to an output file using tshark Sake Blok (Dec 29)
  - Re: how to apply a capture filter and savecaptured packets to an output file using tshark Sreenivasulu Yellamaraju (Dec 29)