Hi All,
I have a quick question on capture filter.
I use named pipe to pass the packets to tshark. With a capture filter,
I tried to (a) store packets, (b) display and (c) store and display
the packets.
$ tshark -i pipe_to_tshark -w test.pcap -f 'udp port 1900'
$ tshark -i pipe_to_tshark -S -f 'udp port 1900'
$ tshark -i pipe_to_tshark -w test.pcap -S -f 'udp port 1900'
In all the above cases, packets dont seem to be filtered. From the
documentation, it looks like capture filter is valid only for live
traffic.
Is the traffic arriving via named pipe considered live traffic? If so,
why is the filtering not happening? If not, why tshark doesn't throw
an error message?
I remember capture filter being applied in kernel for live traffic
which doesn't apply for my case above but just wanted to confirm,
since I didnt see any error message for the above usages.
I tried tshark 1.0.7 but I can try a later version if thats the problem.
Please share your thoughts. Also, appreciate any pointers on capture
filter implementation.
Thanks
dharani
