Wireshark · Wireshark-users: Re: [Wireshark-users] Capture Specific Ports

Wireshark-users: Re: [Wireshark-users] Capture Specific Ports

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Fri, 15 Jun 2007 09:16:08 -0700

Les Bowditch wrote:

Currently, the above syntax is capturing _/everything/_, not just thespecified ports. Is the syntax incorrect,


Yes.

From the man page:

  -d  <layer type>==<selector>,<decode-as protocol>
      Specify that if the layer type in question (for example, tcp.port
      or udp.port for a TCP or UDP port number) has the specified selec-
      tor value, packets should be dissected as the specified protocol.

      Example: -d tcp.port==8888,http will decode any traffic running
      over TCP port 8888 as HTTP.

The "-d" flag doesn't affect what gets captured; it affects how whatgets captured is *interpreted*.

And if you're running with "-w" and without "-S", no dissection, and nointerpretation, is done, so not only does "-d" not affect what getscaptured, it doesn't affect *anything* in your example.


What you want is

tshark -w /home/active_cap/ -b duration:900 -b filesize:50000 -i vr0tcp port 5060 or tcp port 6800 or tcp port 6801 or tcp port 6802

References:
- [Wireshark-users] Capture Specific Ports
  - From: Les Bowditch

Prev by Date: Re: [Wireshark-users] Capturing local traffic on Windows XP
Next by Date: Re: [Wireshark-users] Capturing local traffic on Windows XP
Previous by thread: [Wireshark-users] Capture Specific Ports
Next by thread: [Wireshark-users] Capturing local traffic on Windows XP
Index(es):
- Date
- Thread