Wireshark

  • Riverbed Technology
  • WinPcap
SHARKFEST '13 - Wireshark Developer and User Conference - June 16-19, 2013 - UC Berkeley
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] Tshark -R option

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: sean bzd <seanbzd@xxxxxxxxx>
Date: Wed, 2 Sep 2009 15:24:46 -0400

Folks,

I'm using the following tshark command to capture some packets; i was expecting that only the packets satisfying the read filter condition "myprotodissector.something==528" would be written to the output file C:\Traffic.pcap; but this is not happening. The .pcap file contains lots of other packets not matching the read filter. I was expecting to see ONLY the packets satisfying the read filter to be in the output file. What is interesting though is while the capture is in progress, the stdout showing the number of packets is correctly indicating the # of packets satisfying the read filter. (for example, if I captured 100 packets, and 2 satisfied the read filter, stdout shows 2 but output file contains all the 100 packets).


C:\Program Files\Wireshark>tshark.exe -i 4 -x -t ad -R "myprotodissector.something==528" -b filesize:5000 -w C:\Traffic.pcap

This is what the manual says:

-R <read (display) filter>

Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file; packets not matching the filter are discarded rather than being printed or written.



A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter _expression_ must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter _expression_. Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you're using a read filter. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).
  • Follow-Ups:
    • Re: [Wireshark-users] Tshark -R option
      • From: Sake Blok
  • Prev by Date: Re: [Wireshark-users] Wireshark hang on Windows Server 2008
  • Next by Date: Re: [Wireshark-users] Tshark shows packet loss while tcpdump doesn't! - Why?
  • Previous by thread: Re: [Wireshark-users] Check Sum Errors
  • Next by thread: Re: [Wireshark-users] Tshark -R option
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation