Re: Capture filter

[Tharaneedharan Vilwanathan <vdharani () gmail com>]

Hi All,

Reposting since it doesn't seem to have reached. Sorry if it is a repeat.

Regards
dharani

On Thu, Sep 15, 2011 at 3:25 PM, Tharaneedharan Vilwanathan
<vdharani () gmail com> wrote:
> Hi All,
>
> I have a quick question on capture filter.
>
> I use named pipe to pass the packets to tshark. With a capture filter,
> I tried to (a) store packets, (b) display and (c) store and display
> the packets.
>
> $ tshark -i pipe_to_tshark -w test.pcap -f 'udp port 1900'
> $ tshark -i pipe_to_tshark -S -f 'udp port 1900'
> $ tshark -i pipe_to_tshark -w test.pcap -S -f 'udp port 1900'
>
> In all the above cases, packets dont seem to be filtered. From the
> documentation, it looks like capture filter is valid only for live
> traffic.
>
> Is the traffic arriving via named pipe considered live traffic? If so,
> why is the filtering not happening? If not, why tshark doesn't throw
> an error message?
>
> I remember capture filter being applied in kernel for live traffic
> which doesn't apply for my case above but just wanted to confirm,
> since I didnt see any error message for the above usages.
>
> I tried tshark 1.0.7 but I can try a later version if thats the problem.
>
> Please share your thoughts. Also, appreciate any pointers on capture
> filter implementation.
>
> Thanks
> dharani
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe